Is it possible to confirm the identity of a bot via HTTP request headers?
I'm looking to proxy requests to https://directline.botframework.com for specific consumers but only allow them to use the proxy for a specific bot:
consumers -> my.proxy.com -> directline.botframework.com
I read in another post "the Direct Line secret or token that you specify in the Authorization header of the request is used to identify the bot that the request should be directed to"
I'm unable to find any documentation on the syntax of tokens but examples appear to follow a certain pattern of 11 chars followed by period...:
Authorization: Bearer RCurR_XV9ZA.cwA.BKA.iaJrC8xpy8qbOF5xnR2vtCX7CZj0LdjAPGfiCpg4Fv0y8qbOF5xPGfiCpg4Fv0y8qqbOF5x8qbOF5xn
Are any of these fields(?), e.g. first 11 characters before first period, a unique identifier for a bot that I could use to filter requests on?
If you decode the bearer token you can get the app id. I just tested this with jwt.io and was able to see my correct app id.
You can probably find a library that you can use to do this for you to get the app id, but I do not know one off hand. If you have access to the whole request another option would be to parse the activity for the bot id ( in c# activity.recipient.id or activity.from.id depending on direction) and use this data to whitelist somehow. This is a fairly unique case so I do not have any examples of this.