get 403 (Forbidden) after call getSessionId()

[mkovel]

Hi,
i get error in getSessionId() method when i try to use OAuthCard after click by Sign In button

it looks like on screenshot,

Also I recieve next response after call getSessionId()

https://directline.botframework.com/v3/directline/session/getsessionid

{
  "error": {
    "code": "ServiceError",
    "message": "Trusted Origin list is empty."
  }
}

What am I doing wrong?

Thanks

[mkovel]

has any update?

[ukphillips]

@mkovel I just worked through this issue with the webchat library! How are you initializing the conversation? To solve this I needed to obtain the conversation token by posting the trusted origins:

POST https://directline.botframework.com/v3/directline/tokens/generate

with your master secret as a bearer token and a body of:

{
TrustedOrigins: ["https://URLHOSTINGCLIENTSIDECODE"]
}

Here was my original issue for reference: microsoft/botframework-sdk#4745

[mkovel]

Hi, @ukphillips

1. I've received token throug:

POST https://directline.botframework.com/v3/directline/tokens/generate 
Authorization: Bearer ___MY_DIRECTLINE_SECRET___

2. And then are creating new DL with received token

new DirectLine({ token: __RECIEVED_TOKEN__,  webSocket: true});

Did I answer your question?

[mkovel]

@ukphillips O... I think finaly I understood what you mean. )))
OK i will try your solution tomorrow and give you feedback.
thanks

[ukphillips]

@mkovel sounds like you know what I meant, but just make sure you include the JSON body with the TrustedOrigins property when generating the token. Let me know how it goes!

[compulim]

Looks like @ukphillips resolved the issue.

One side note, the TrustedOrigins is being moved inside Direct Line channel settings page. You can find more information in this blog post.

[alexknipfer]

@compulim Is there a way to specify a wildcard as the trusted origin to allow all domains? Configuring it in directline doesn't allow for a * as a domain. We allow for our client to embed on pages of their choice, so it would be difficult to maintain the list of trusted origins.