question

ia avatar image
ia asked ·

No "state" in "Add to Glip" bot callback

oAuth2 callbacks should have a state variable within them to verify the callback.
/?state=xyz&code=123
However, when we click the "Add to Glip" button no state is passed. The callback URL looks like this:
code=123&client_id=XXXXXcreator_account_id=1234567890&creator_extension_id=0987654321  
Another problem is that as the callback does not occur in user's browser, we lost all kind of cookies/sessions. We have no idea who is the user clicking the "Add to Glip" button.
topic-default
1 |1000 characters needed characters left characters exceeded

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Tyler Liu avatar image
Tyler Liu answered ·
There is no state. But there is a Verification-Token in header which you can verify that the request is indeed from RingCentral.

After you click that button, a bot user is created. When you get the token there is a owner_id property and that is the bot user's id. So it doesn't matter who clicked that button because the token is the newly created bot user's token.

I am not an expert either. We can discuss.
Share
1 |1000 characters needed characters left characters exceeded

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

ia avatar image
ia answered ·
Thanks Tyler,

While connecting Glip to our app, we need to know the person who clicked the button. This is required to keep the user experience seamless. Is there any way to get this information in callback?

3 comments Share
1 |1000 characters needed characters left characters exceeded

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

According to the latest Glip bot provisioning flow, Add to Glip button could only be clicked once by people from the same company.

For example, a company have 1000 users, a users clicks Add to Glip, and the bot was added to Glip. The other 999 users from the same company won't be able to click Add to Glip button again because they will see a "Remove" button instead.

So the bot is not per user, it is per company.
1 Like 1 · ·
With above being said, it seems possible to know the user who clicked that button:

code=123&client_id=XXXXXcreator_account_id=1234567890&creator_extension_id=0987654321

creator_account_id=1234567890&creator_extension_id=0987654321 is able to identify the user

You can invoke /restapi/v1.0/account/<account_id>/extension/<extension_id> to get the user's information.
1 Like 1 · ·
That sounds great. Thanks.
0 Likes 0 · ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.