No "state" in "Add to Glip" bot callback

  • 1
  • Problem
  • Updated 7 months ago
oAuth2 callbacks should have a state variable within them to verify the callback.
/?state=xyz&code=123
However, when we click the "Add to Glip" button no state is passed. The callback URL looks like this:
code=123&client_id=XXXXXcreator_account_id=1234567890&creator_extension_id=0987654321
Another problem is that as the callback does not occur in user's browser, we lost all kind of cookies/sessions. We have no idea who is the user clicking the "Add to Glip" button.
Photo of IA

IA

  • 164 Points 100 badge 2x thumb

Posted 7 months ago

  • 1
Photo of Tyler Long

Tyler Long, Official Rep

  • 6,958 Points 5k badge 2x thumb
There is no state. But there is a Verification-Token in header which you can verify that the request is indeed from RingCentral.

After you click that button, a bot user is created. When you get the token there is a owner_id property and that is the bot user's id. So it doesn't matter who clicked that button because the token is the newly created bot user's token.

I am not an expert either. We can discuss.
Photo of IA

IA

  • 164 Points 100 badge 2x thumb
Thanks Tyler,

While connecting Glip to our app, we need to know the person who clicked the button. This is required to keep the user experience seamless. Is there any way to get this information in callback?
Photo of Tyler Long

Tyler Long, Official Rep

  • 6,858 Points 5k badge 2x thumb
According to the latest Glip bot provisioning flow, Add to Glip button could only be clicked once by people from the same company.

For example, a company have 1000 users, a users clicks Add to Glip, and the bot was added to Glip. The other 999 users from the same company won't be able to click Add to Glip button again because they will see a "Remove" button instead.

So the bot is not per user, it is per company.
Photo of Tyler Long

Tyler Long, Official Rep

  • 6,858 Points 5k badge 2x thumb
With above being said, it seems possible to know the user who clicked that button:

code=123&client_id=XXXXXcreator_account_id=1234567890&creator_extension_id=0987654321

creator_account_id=1234567890&creator_extension_id=0987654321 is able to identify the user

You can invoke /restapi/v1.0/account/<account_id>/extension/<extension_id> to get the user's information.
Photo of IA

IA

  • 164 Points 100 badge 2x thumb
That sounds great. Thanks.