Shared Token?

[ghost]

Project
Virtual Assistant (version from 2018-12-04)

Description
Time: 11:00 (CEST)
Location: Germany
I use my VA with channel WebChat.
After entering 'Send e-mail to XY' I was asked to login to a Microsoft account, what I did.
I got a verification code in a browser window, which I entered into the chatbot.
I refreshed the web page.
I successfully sent a email via VA.

Time: 16:00 (CEST)
Location: US
Another person on another device, also entered 'Send e-mail to XY', but was not asked to login. Instead the other person had access to my Outlook365 account, e.g. to show the task list or to send an email on my behalf.

Expected behavior
Every user have access only to his/her own Office365 account.

Questions

• Are the security token maintained and cached on the server side?
• It is a known bug, which was fixed in later versions?

[darrenj]

HI @David201406,

This is likely the webchat issues whereby it defaults to a user-id of "default". once you signin the Azure Bot Service does securely store a token against your userid for future refresh/use. As webchat on two machines is using the same userid you can see this scenario. This is highlighted here

This has been fixed: microsoft/BotFramework-WebChat#1612 and will be in the next release but you should be able to reference a more recent build from here on your script tag.

Let me know if this helps

[darrenj]

you can type signout or /event:{Name:"IPA.ResetUser"} to remove any tokens/state too