BOT Directline Channel User Authentication

2
votes

We have a web application and enabled direct client channel to communicate with the hosted BOT framework using directline secret.

Link :BOT - Directline webchat

Sample Code:

BotChat.App({
                directLine: { secret: Key },
                //dynamically retrieve the logged in user info in your mvc View once the user logged in and pass it on
                //and pass thoes info to your bot
                user: { id: '', email: ''   },
                bot: { id: 'testBOT' },
                resize: 'detect'
            }, document.getElementById("divbot"))

Here is my situration: 1) The user successfully logged in to the application and authorized using the individual account

2) How to authenticate the user in the BOT framework. The Directline secret used to authenticate the calling application. Is there any way to authrorize the authenticate the logged in user in the BOT framework securely?

Thank you

2
authenticationbotframeworkdirect-line-botframework
To me, it is unclear what exactly you are trying to accomplish here. could you try to explain the scenario more please it may be the backchannel you are looking for docs.microsoft.com/en-us/azure/bot-service/nodejs/…D4RKCIDE
If you are already authenticating the user in your website why do you want to authenticate the user again?Anita George
Hi, - I enabled the BOT in my client by simply passing the direct client secret key. How to secure the BOT connection from my client, anyone can view the source and get the secret key. I also read about getting the secret token from the key and use for communication. But not sure how to accomplish in the javascript. My client is MVC based.user2231

2 Answers

1
votes

also read about getting the secret token from the key and use for communication. But not sure how to accomplish in the javascript.

It seems that you embed web chat in your MVC website, and you do not want to expose Direct Line Secret (which prevent anyone from putting your bot on their website). You can try this approach:

  1. Create a backend service, and make request to generate Direct Line token in that service, which can avoid exposing Direct Line Secret from client side.
  2. On your JavaScript client, you can make Ajax request to that backend service for getting Direct Line token and initiate BotChat with generated token in Ajax success callback function.
  3. Enable CORS in your backend service to allow some origins and prevent another origins request from accessing that backend service and adding your bot in web page.
  4. For secure your backend service, you can implement request Authentication for it.
0
votes

You can exchange the key for a token that expires. Here is an mvc example: https://github.com/EricDahlvang/TokenBotExample/tree/master/TokenBotExample

string botChatSecret = ConfigurationManager.AppSettings["BotChatSecret"];


var request = new HttpRequestMessage(HttpMethod.Get, "https://webchat.botframework.com/api/tokens");

request.Headers.Add("Authorization", "BOTCONNECTOR " + botChatSecret);


using (HttpResponseMessage response = await new HttpClient().SendAsync(request))
{

         string token = await response.Content.ReadAsStringAsync();

         Token = token.Replace("\"", "");
}