BaaS Secure Session

Secure Session configured with a BaaS api-connector requires the following:

  • A hosted Authorization API that can validate a user’s conversational context
  • A BaaS api-connector that that can map conversational context into a call to the hosted API

The overall process can be summarized as:

  • The conversational context is configured on initialization with an item(s) that can identify the user
  • The first message into the bot from the user results in a BaaS api-connector invocation that triggers the Authorization API. If the call is successful, the message continues to ingress, if not, the message is blocked.
  • The same call happens each time the ValidationInterval expires. More details for this are given below.

Configuring the BaaS

The first step is configuring the BaaS api-connector that can communicate with the Authorization API, an example is shown below:

{
  "Method": "POST",
  "Endpoint": "https://my-authorization-api.com/VerifyToken",
  "Headers": {
    "Authorization": "srn:vault::acme:secret:my-authorization-api-key"
  },
  "Alias": "SecureSessionBaaS",
  "RequestMapping": {
    "tokenToVerify": {
      "type": "requestBody",
      "requestBodyPath": "$.token",
      "inputPath": "$.secureTokenForUser"
    }
  },
  "ResponseMapping": {},
  "Type": "api-connector",
  "Body": {}
}

This BaaS does the following:

  • Authenticates with the Authorization API using an API Key that is stored in a secret within the ServisBOT platform via the Authorization header. The Authentication on the API will depend on your specific implementation.
  • Maps the secureTokenForUser into the token field in the body of the request. secureTokenForUser is assumed to be at the root level of the conversational context in this instance.

The Authorization API

The implementation of the Authorization API will vary across different use cases. To use the BaaS api-connector above, the API must do the following:

  • Use an API Key as it’s own form of Authentication
  • Inspect the body of the request for token and verify it is a valid
  • Return a status code of 200 for success, 4xx for failure

Configuring the Bot

An example bot configuration is shown below:

{
  "State": "RUNNING",
  "SecureSession": true,
    "SecureSessionConfig": {
    "Type": "baas",
    "ValidationInterval": 60,
    "ApiAlias": "SecureSessionBaaS"
  },
  "Workers": [
    {
      "Type": "nlp-worker",
      "Id": "6cefded5-7c09-4e67-ad81-6dc0f96b6462"
    }
  ],
  "QuietTimeEnabled": false,
  "NluManagementMode": "ServisBOT",
  "Persona": "AIBot",
  "Organization": "engjohn",
  "DisplayName": "BurgerBot",
  "Id": "sbIuyRQdU",
  "Name": "securebot"
}

Taking a closer look at the Secure Session configuration:

  "SecureSession": true,
    "SecureSessionConfig": {
      "Type": "baas",
      "ValidationInterval": 60,
      "ApiAlias": "SecureSessionBaaS"
  },
  • SecureSession - set to true to enable Secure Session
  • SecureSessionConfig.Type: set to baas to enable the check against the SecureSessionBaaS api-connector
  • SecureSessionConfig.ApiAlias: The alias of the api-connector to use
  • SecureSessionConfig.ValidationInterval: The frequency (in seconds) that the check against the Authorization API will take place. A very low value will increase load on the Authorization API and decrease Bot performance.