1

I'm looking to proxy requests to https://directline.botframework.com for specific consumers but only allow them to use the proxy for a specific bot:

consumers -> my.proxy.com -> directline.botframework.com

I read in another post "the Direct Line secret or token that you specify in the Authorization header of the request is used to identify the bot that the request should be directed to"

I'm unable to find any documentation on the syntax of tokens but examples appear to follow a certain pattern of 11 chars followed by period...:

Authorization: Bearer RCurR_XV9ZA.cwA.BKA.iaJrC8xpy8qbOF5xnR2vtCX7CZj0LdjAPGfiCpg4Fv0y8qbOF5xPGfiCpg4Fv0y8qqbOF5x8qbOF5xn

Are any of these fields(?), e.g. first 11 characters before first period, a unique identifier for a bot that I could use to filter requests on?

jonhadfield
  • 119
  • 1
  • 1
  • 9
  • 1
    As you said, it seems that no any documentation demonstrates how to extract information of bot from a Direct Line secret or token to identify the bot. If possible, you can try to create a [github issue](https://github.com/Microsoft/BotBuilder/issues) to report it. – Fei Han Aug 07 '18 at 03:01
  • Thanks @FeiHan, I'll create that now. I've also raised a support ticket via the Azure portal so will update with any feedback. – jonhadfield Aug 07 '18 at 07:49
  • "only allow them to use the proxy for a specific bot": do you already know the secret for this specific bot? – Nicolas R Aug 07 '18 at 08:43
  • @NicolasR, yes. We only want to be able to proxy requests to bots we have created and have control over. – jonhadfield Aug 07 '18 at 08:52
  • If your consumers are using the secret directly, can't you just store a list of those secrets and check the Bearer value? – Nicolas R Aug 07 '18 at 09:27
  • I don't believe the tokens/secrets are static in our implementation but I will check. I (probably wrongly) assumed at least part of the bearer value would change with each session/conversation. – jonhadfield Aug 07 '18 at 09:48

1 Answers1

1

If you decode the bearer token you can get the app id. I just tested this with jwt.io and was able to see my correct app id.

enter image description here

You can probably find a library that you can use to do this for you to get the app id, but I do not know one off hand. If you have access to the whole request another option would be to parse the activity for the bot id ( in c# activity.recipient.id or activity.from.id depending on direction) and use this data to whitelist somehow. This is a fairly unique case so I do not have any examples of this.

D4RKCIDE
  • 3,439
  • 1
  • 18
  • 34