I want to implement OAuth authorization by Twitch API on my bot, and when I was looking for a better solution, I found this @GitHubBot. In this bot redirect URL starting for integrations.telegram.org/github, and I wonder how to implement auth like this. If you please, can you tell best practice to implement OAuth in telegram bots? What the better case: Authorization Code or Implicit Grant?
Thank you in advance!
I had the same idea of authorizing access to 3rd party services via Telegram and I had 2 main ideas. Inspired by explained deep linking usage:
"Authorized redirect URIs For use with requests from a web server. This is the path in your application that users are redirected to after they have authenticated with Google. The path will be appended with the authorization code for access. Must have a protocol. Cannot contain URL fragments or relative paths. Cannot be a public IP address. "
So, this approach dynamic unique redirect URI was a fail from the begging.
@BotSupport confirmed my assumptions:
JV, [17.09.16 22:16] I need to authorize user at 3rd party services. For example, Google calendar. So, I decided to create simple URI that redirects to Service Sign In and redirect URL to my server with token\authCode. As far as oauth does not authenticate user, I still need somehow identify who exactly granted access to his resources. So my next logical step was to hash received token and send it back to user via ttps://telegram.me/BOT?code=xxx I was convinced that if there is commandHandler for /code and /code is in the bot commands list I would be able to open conversation with my bot and sent this hashed code via webhook back to my server in order to detect who exactly it was at access grant step. I was shocked when I found that my plan was ruined at the last step: as far as I can see there is only /start command could be triggered. My question is: can you confirm that only /start command could query parameters via URL? if so, could you give me some advise about the right way of authorizing and authenticationg user?
Bot Support, [20.09.16 01:50] Hi, sorry for the wait. You are talking about Deep-linking (https://core.telegram.org/bots#deep-linking) and, indeed, only /start and /startgroup can be used there.
In the end I was able to perform successful user authorization\identification, but it looks very weird to see the START button in the middle of the conversation.
Resume: you are not allowed to perform silent authorization like it's done in ttps://telegram.me/youtube or ttps://telegram.me/GitHubBot, but you could perform "close enough" version of silent oauth authorization
Note: for now it is hard for me to tell how exactly that bots are implemented (youtube, GitHubBot), but it should be some unique backdoor for this bots as far as they redirected to ttps://integrations.telegram.org/youtube/oauth_redirect with the same scheme(at least, redirect URI from oauth service does not contain unique information to identify user just as in case I've described in this post) Maybe, there is a some way of making auth URL unique using some parameter, but as far as I know it is not allowed.
Steps to scheme implementation:
Sorry, no images or links as far as I have no reputation