I want to implement OAuth authorization by Twitch API on my bot, and when I was looking for a better solution, I found this @GitHubBot. In this bot redirect URL starting for integrations.telegram.org/github, and I wonder how to implement auth like this. If you please, can you tell best practice to implement OAuth in telegram bots? What the better case: Authorization Code or Implicit Grant?
Thank you in advance!
Question posted in Telegram API
A comprehensive official documentation can be found here.
A comprehensive official documentation can be found here.
2
Answers
I had the same idea of authorizing access to 3rd party services via Telegram and I had 2 main ideas.
Inspired by explained deep linking usage:
Unfortunately, I missed explanation about redirect URIs when was setting up credentials in the Google Console. It says
So, this approach dynamic unique redirect URI was a fail from the begging.
It was expected to look like this:
ttps://telegram.me/bot?hashed_code=code
But, unfortunately I found that this also doesn’t work as it was planned.
I was really disappointing about that fact, but after some sneaking around I found that the only way to pass parameters to your bot through direct URL is /start command!
@BotSupport confirmed my assumptions:
In the end I was able to perform successful user authorizationidentification, but it looks very weird to see the START button in the middle of the conversation.
Resume: you are not allowed to perform silent authorization like it’s done in ttps://telegram.me/youtube or ttps://telegram.me/GitHubBot, but you could perform “close enough” version of silent oauth authorization
Note: for now it is hard for me to tell how exactly that bots are implemented (youtube, GitHubBot), but it should be some unique backdoor for this bots as far as they redirected to ttps://integrations.telegram.org/youtube/oauth_redirect with the same scheme(at least, redirect URI from oauth service does not contain unique information to identify user just as in case I’ve described in this post)
Maybe, there is a some way of making auth URL unique using some parameter, but as far as I know it is not allowed.
Steps to scheme implementation:
Sorry, no images or links as far as I have no reputation
I solved this with Telegram deep linking and AWS API Gateway service.
The authentication scenario is like this:
code
parameterYou need to receive that code in your bot, but you cannot just redirect to your bot’s URL, because the only parameter it accepts is
start
. This is well described in @evasyuk’s answer.My solution is to setup an AWS API Gateway endpoint that will receive the callback with the auth code from the service and redirect it to your bot’s link with the
start
parameter. Here are the basic steps to do that.I assume that you have an AWS account, but if not, it’s easy to create and you can use this solution for a year absolutely free:
Head to the console to create a new API Gateway. You can create a new one and follow the steps, or you can import the Swagger definition (don’t forget to change the bot URL!):
Press Actions > Deploy API, make some stage name, it doesn’t matter
You will get a link for you newly created endpoint, something like
For example
You are ready to go. Now you can program your bot to give users a link to the service authorization, say
Once a user followed it and signed in, he will be sent to
which will get redirected to
and normally user will get back to his Telegram app, where he is offered to press the Start button. Once he did, bot will receive a message
/start <auth_code>
(but the code won’t appear in the chat history). Your bot can save this code and use it for user authentication (getting tokens).