question

ia8853 avatar image
ia8853 asked ia8853 commented

No "state" in "Add to Glip" bot callback

oAuth2 callbacks should have a state variable within them to verify the callback.

/?state=xyz&code=123

However, when we click the "Add to Glip" button no state is passed. The callback URL looks like this:

code=123&client_id=XXXXXcreator_account_id=1234567890&creator_extension_id=0987654321  

Another problem is that as the callback does not occur in user's browser, we lost all kind of cookies/sessions. We have no idea who is the user clicking the "Add to Glip" button.

errors
1 |3000

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Tyler Liu avatar image
Tyler Liu answered
There is no state. But there is a Verification-Token in header which you can verify that the request is indeed from RingCentral.

After you click that button, a bot user is created. When you get the token there is a owner_id property and that is the bot user's id. So it doesn't matter who clicked that button because the token is the newly created bot user's token.

I am not an expert either. We can discuss.
1 |3000

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

ia8853 avatar image
ia8853 answered ia8853 commented
Thanks Tyler,

While connecting Glip to our app, we need to know the person who clicked the button. This is required to keep the user experience seamless. Is there any way to get this information in callback?

3 comments
1 |3000

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Tyler Liu avatar image Tyler Liu ♦ commented ·
According to the latest Glip bot provisioning flow, Add to Glip button could only be clicked once by people from the same company.

For example, a company have 1000 users, a users clicks Add to Glip, and the bot was added to Glip. The other 999 users from the same company won't be able to click Add to Glip button again because they will see a "Remove" button instead.

So the bot is not per user, it is per company.
1 Like 1 ·
Tyler Liu avatar image Tyler Liu ♦ commented ·
With above being said, it seems possible to know the user who clicked that button:

code=123&client_id=XXXXXcreator_account_id=1234567890&creator_extension_id=0987654321

creator_account_id=1234567890&creator_extension_id=0987654321 is able to identify the user

You can invoke /restapi/v1.0/account/<account_id>/extension/<extension_id> to get the user's information.
1 Like 1 ·
ia8853 avatar image ia8853 commented ·
That sounds great. Thanks.
0 Likes 0 ·

Developer sandbox tools

Using the RingCentral Phone for Desktop, you can dial or receive test calls, send and receive test SMS or Fax messages in your sandbox environment.

Download RingCentral Phone for Desktop:

Tip: switch to the "sandbox mode" before logging in the app:

  • On MacOS: press "fn + command + f2" keys
  • On Windows: press "Ctrl + F2" keys