Search code examples
botframeworkdirect-line-botframeworkweb-chat

Sending a JWT through Direct-line API to authenticate the user, in Microsoft chat bot

I need to send a JWt (access token) to the chatbot via directline. I'm using react as the front end, and the chatbot is integrated into the front end via botframework-webchat.

So far, I was able to send the access token through an activity, which is not recommended as I think.

Right now, the chatbot is asking the user to log in, which is not good because the user is already logged in to the application.

My first question - Is it possible to authenticate the chatbot by an id token instead of connecting with Azure AD, B2C, or any auth service provider?

If it is possible, How can I send the id token to the bot, via botframework-webchat

Thanks in advance

Here is my code for the front end

const Chatbot = (props) => {
  const language = localStorage.getItem('language');
  const directLine = useMemo(
    () => createDirectLine({ token: <my_token>, locale: 'sv-se' }),
    []
  );

  useEffect(() => {
    var activity = {
      from: {
        id: '001',
        name: 'noviral',
      },
      name: 'startConversation',
      type: 'event',
      value: 'Hi noviral!',
      locale: language === 'en' ? 'en-US' : 'sv-se',
    };
    

    directLine.postActivity(activity).subscribe(function (id) {
      if (console) {
        console.log('welcome message sent to health bot');
      }
    });

  }, []);

  return (
    <Layout className="login-layout">
      <div className="login-div">
        <div className="chatbot">
          <div className="consent-wrapper">
            <ReactWebChat
              directLine={directLine}
              userID={'001'}
              username="Noviral"
              locale={language === 'en' ? 'en-US' : 'sv-se'}
            ></ReactWebChat>
          </div>
        </div>
      </div>
    </Layout>
  );
};

export default withTranslation()(Chatbot);
Solution

  • Sending the token via an activity is acceptable as activities sent via Direct Line are secure. If you look over the 24.bot-authentication-msgraph sample, you can see that the default action the bot takes is to send an activity displaying the user's token.

    As for authentication, the question doesn't seem to be what token you will use but rather how you will authenticate. If you don't use a service provider + login, how is the bot going to verify who the user is? That being said, there are some SSO (single sign-on) options available via Web Chat (see here) that, if a user is already logged in, then SSO could pick it up. You will have to look them over to decide if these options meet your needs.