Telegram bot - OAuth 授权 [英] Telegram bot - OAuth authorization

问题描述

我想在我的机器人上通过 Twitch API 实现 OAuth 授权，当我在寻找更好的解决方案时，我发现了这个@GitHubBot.在这个机器人重定向 URL 开始于 integrations.telegram.org/github，我想知道如何实现这样的身份验证.如果您愿意，您能说出在电报机器人中实施 OAuth 的最佳实践吗?哪种情况更好:授权码还是隐式授权?
提前致谢！

I want to implement OAuth authorization by Twitch API on my bot, and when I was looking for a better solution, I found this @GitHubBot. In this bot redirect URL starting for integrations.telegram.org/github, and I wonder how to implement auth like this. If you please, can you tell best practice to implement OAuth in telegram bots? What the better case: Authorization Code or Implicit Grant?
Thank you in advance!

推荐答案

我有同样的想法，即通过 Telegram 授权访问 3rd 方服务，我有两个主要想法.灵感来自于解释的深度链接用法:

I had the same idea of authorizing access to 3rd party services via Telegram and I had 2 main ideas. Inspired by explained deep linking usage:

• 第一个想法是创建具有唯一重定向 URI 的唯一授权 URL.不幸的是，在 Google 控制台中设置凭据时，我错过了有关重定向 URI 的解释.它说

"授权的重定向 URI 用于来自 Web 服务器的请求.这是您的应用程序中用户被重定向到的路径在他们通过 Google 进行身份验证后.路径将被附加带有访问权限的授权码.必须有协议.不能包含 URL 片段或相对路径.不能是公网IP地址."

"Authorized redirect URIs For use with requests from a web server. This is the path in your application that users are redirected to after they have authenticated with Google. The path will be appended with the authorization code for access. Must have a protocol. Cannot contain URL fragments or relative paths. Cannot be a public IP address. "

因此，这种动态唯一重定向 URI 的方法是失败的.

So, this approach dynamic unique redirect URI was a fail from the begging.

• 第二个是获取资源的访问权限，然后将散列的授权结果直接发送给机器人.预计看起来像这样:ttps://telegram.me/bot?hashed_code=code但是，不幸的是，我发现这也无法按计划进行.我对这个事实感到非常失望，但经过一番摸索后，我发现通过直接 URL 将参数传递给机器人的唯一方法是/start 命令！

@BotSupport 证实了我的假设:

@BotSupport confirmed my assumptions:

JV, [17.09.16 22:16] 我需要在 3rd 方服务上授权用户.例如，谷歌日历.所以，我决定创建一个简单的 URI重定向到服务登录并将 URL 重定向到我的服务器令牌\验证码.至于 oauth 不验证用户，我仍然需要以某种方式确定谁确切地授予了访问他的资源的权限.所以我的下一个合乎逻辑的步骤是散列收到的令牌并将其发送回用户通过 ttps://telegram.me/BOT?code=xxx 我确信如果/code 有 commandHandler，/code 位于机器人命令中列表我将能够与我的机器人打开对话并发送这个通过 webhook 将散列代码返回到我的服务器以检测谁正是在访问授予步骤.当我发现的时候我震惊了我的计划在最后一步被破坏了:据我所知，只有/start 命令可能被触发.我的问题是:你能确认吗只有/start 命令可以通过 URL 查询参数?如果是这样，可以你给我一些关于正确授权方式的建议和认证用户?

JV, [17.09.16 22:16] I need to authorize user at 3rd party services. For example, Google calendar. So, I decided to create simple URI that redirects to Service Sign In and redirect URL to my server with token\authCode. As far as oauth does not authenticate user, I still need somehow identify who exactly granted access to his resources. So my next logical step was to hash received token and send it back to user via ttps://telegram.me/BOT?code=xxx I was convinced that if there is commandHandler for /code and /code is in the bot commands list I would be able to open conversation with my bot and sent this hashed code via webhook back to my server in order to detect who exactly it was at access grant step. I was shocked when I found that my plan was ruined at the last step: as far as I can see there is only /start command could be triggered. My question is: can you confirm that only /start command could query parameters via URL? if so, could you give me some advise about the right way of authorizing and authenticationg user?

机器人支持，[20.09.16 01:50] 抱歉久等了.你在说话关于深层链接 (https://core.telegram.org/bots#deep-linking) 和，实际上，只有/start 和/startgroup 可以在那里使用.

Bot Support, [20.09.16 01:50] Hi, sorry for the wait. You are talking about Deep-linking (https://core.telegram.org/bots#deep-linking) and, indeed, only /start and /startgroup can be used there.

最后我能够成功执行用户授权\识别，但是在对话中间看到开始按钮看起来很奇怪.

In the end I was able to perform successful user authorization\identification, but it looks very weird to see the START button in the middle of the conversation.

简历:您不能像在 ttps://telegram.me/youtube 或 ttps://telegram.me/GitHubBot 中那样执行静默授权，但您可以执行关闭足够"版本的静默 oauth 授权

Resume: you are not allowed to perform silent authorization like it's done in ttps://telegram.me/youtube or ttps://telegram.me/GitHubBot, but you could perform "close enough" version of silent oauth authorization

注意:现在我很难说这些机器人是如何实现的(youtube、GitHubBot)，但它应该是这个机器人的一些独特的后门，因为它们重定向到 ttps://integrations.telegram.org/youtube/oauth_redirect 使用相同的方案(至少，来自 oauth 服务的重定向 URI 不包含唯一信息来识别用户，就像我在这篇文章中描述的那样)也许，有一些方法可以使用某些参数使身份验证 URL 唯一，但据我所知这是不允许的.

Note: for now it is hard for me to tell how exactly that bots are implemented (youtube, GitHubBot), but it should be some unique backdoor for this bots as far as they redirected to ttps://integrations.telegram.org/youtube/oauth_redirect with the same scheme(at least, redirect URI from oauth service does not contain unique information to identify user just as in case I've described in this post) Maybe, there is a some way of making auth URL unique using some parameter, but as far as I know it is not allowed.

方案实施步骤:

1. 设置网络钩子
2. 添加 oauth_cb 端点
3. 例如在 Google 控制台中获取您的应用的凭据
4. 等待回调到 oauth_cb end_point
5. 为第 4 步中的授权代码生成哈希
6. 将 hash 和 auth_code 保存为键值对
7. 使用来自 5 的哈希创建重定向到您的机器人的 URL
8. 生成包含来自 7 的重定向 URL 的 HTML
9. 使用参数将 8 实际重定向到您的机器人
10. 为需要内联参数的/start 命令编写解析器
11. 使用/start 命令等待 webhook
12. 使用来自 6 的键值对识别用户
13. 删除键值对
14. 你真棒！现在您可以访问一些用户数据

对不起，就我没有声誉而言，没有图片或链接

Sorry, no images or links as far as I have no reputation

这篇关于Telegram bot - OAuth 授权的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！