从 HTML 文件中的 JavaScript 到 Bot Framework v4 的 Microsoft Web Chat 控件进行身份验证的正确方法是什么?

What is the correct way to authenticate from JavaScript in an HTML file to the Microsoft Web Chat control for Bot Framework v4?

我的目标是创建一个 HTML 页面 JavaScript 来运行这个 Microsoft Bot Framework v4 Web Chat Control

https://github.com/Microsoft/BotFramework-WebChat

正如这个 Whosebug 问题的评论中所述

Microsoft Bot Framework image size in adaptive card

我试着按照这里的示例代码

https://github.com/compulim/BotFramework-MockBot

特别是

BotFramework-WebChat-master\samples.a.getting-开始-全套

但无法正常工作。在上面链接的另一个问题中,Microsoft 支持告诉我以另一种方式进行身份验证:

You need to make a POST request to https://directline.botframework.com/v3/directline/tokens/generate with Authorization: Bearer in the header. Alternatively, you can use const token = directly, instead

但是,在上面提到的示例代码中,它说

To talk to your bot, you should use the token exchanged using your Direct Line secret. You should never put the Direct Line secret in the browser or client app.

如果上面建议的代码 JavaScript 包含在 HTML 文件中,则加载页面的任何人都可以从“查看源代码”中看到它。

使用 DirectLine 机密似乎违反了不公开此机密的规则,我读过它可以提供对所有对话的访问权限,而不仅仅是当前对话。

如果普通视图中的JS代码使用DirectLine secret获取token,然后使用token进行身份验证,使用token似乎没有任何作用,因为DL secret暴露了。为什么不直接使用 DL secret?

Microsoft 推荐的对上面链接的 Web 聊天控件进行身份验证的最简单方法是什么?

谢谢!

Why not just use DL secret?

如您所说,这将允许访问与机器人的所有对话。

If the JS code in plain view uses the DirectLine secret to get a token, then uses the token to authenticate, using the token doesn't seem to accomplish anything, as the DL secret is exposed.

再次更正。为了隐藏您的秘密,您需要设置自己的令牌服务器。我们没有关于如何设置的官方 ready-to-go 示例,但 this sample by the Web Chat author 应该可以帮助您入门。

如果你想自己写,流程基本上是:

  1. 让您的 WebChat 客户端向您的令牌服务器发送令牌请求
  2. 您的令牌服务器可以将秘密存储在一个变量中,只要您不制作代码 public。让您的令牌服务器通过 POST 请求和 header、Authorization: Bearer <YourSecret>
  3. 联系 https://directline.botframework.com/v3/directline/tokens/generate
  4. Return 从该请求返回到 WebChat 客户端的令牌
    • 您的 WebChat 客户端现在将拥有一个令牌,而无需知道秘密,因为它使用了您的令牌服务器中间件

What is the Microsoft-recommended, simplest way to authenticate to the web chat control linked to above?

遗憾的是,没有既是"simple"又是"recommended"的方法。最简单的就是直接使用您的秘密。如果您不关心用户对话是否会被公开,这很好。不过,推荐的方法是实现您自己的令牌服务器。


揭密补充阅读

来自this GitHub issue

For purposes of this discussion, we're going to treat secrets and tokens to be the same thing. We can go into detail on those later if you want. I'll refer to them as "secret/token" for now.

To access a conversation, you need the secret/token and a conversation ID. These values are sometimes glued together, and are sometimes in separate variables. Sometimes they're in the URL, and sometimes they're stored in JavaScript in memory. These are similar to a user token, stored in a user's cookie.

In all cases, these values are accessible to a user sitting at their own computer. They can read their own URLs, they can read their own JavaScript variable state, and they can read their own cookies.

If they send any of this information to someone else, that person can impersonate them. If my bank emails me a password reset link, and I share that with someone else, that person can reset my account password and log in to my account.

Our iFrame uses URLs to pass these parameters, as that's an adequate level of security in many cases. (Have you ever visited a website, manually extracted the URL to an iFrame, sent it to someone else, and expected your session to remain private? Probably not.)

If you want additional security, you can skip the iFrame and send your own secret/token inside JS or a cookie. Your JS can extract that and send it to the Web Chat JS object. Once Web Chat has the secret/token, is exclusively uses HTTP Authorization headers to send those values to the Direct Line service.

所以,暴露你的秘密并不是什么交易,本身。但是,它确实允许恶意用户冒充任何其他用户。

默认行为,因为 Directline 需要某种方式来确定与谁进行身份验证。密钥验证客户端(网络聊天)是否正常。但是什么能证明用户是?用户标识?但是任何用户都可以设置自己的用户 ID 并冒充其他人。真正确保这一点的唯一方法是在您自己的一端实现一些使用秘密获取 Directline 令牌的东西,然后将其传递回网络聊天客户端。

此外,要获取对话数据,有人需要秘密 对话 ID。找出对话 ID 的可能性很小。

不过一般来说,只有在您尝试保留用户数据时才需要考虑此安全性。如果您的用户每次打开机器人时都会开始新的对话,您可以只生成一个唯一的用户 ID,而不必担心秘密会被泄露。

这是一篇关于在 C# 和 Node 中创建客户端控制器(令牌服务器)的好博客 post 以及一些额外的安全性 features/concepts..

Here's another blog post on additional security considerations and using Enhanced DirectLine Authentication Features