You can use webhooks to detect whether or not a user is logged in. This can be useful when you want an end user to carry out a transaction within the chatbot that requires information unique to this user (e.g. a consultation of prior purchase records). The following steps reflect the recommendation of Inbenta for the best and most secure practices.
User authentication system
Your service will need a user authentication system that generates a user token. You can generate a user token from your own login system with a user directory or by using Single Sign-On (SSO).
Suggested architecture with encrypted user token
Suggested architecture with SSO
You will also need a webhook that accepts the user token as a parameter and that will perform the action. After creating the webhook, complete these steps in your Inbenta Chatbot App:
- Create a new Chatbot variable to store the user token (This link opens the Inbenta Help Center. You need an Inbenta account to see this page). Set the detection scope of the variable to
Validation Only and enable
Hide in Logs and UI.
- Create a new action using the webhook URL (This link opens the Inbenta Help Center. You need an Inbenta account to see this page). Whenever you need to send the user token in an action, add the token variable to the input parameters of this action.
Each of the following steps corresponds to the same numbered step in the image below:
- Authenticate the user in the external customer service
- The website where the Chatbot is embedded needs to include a login page. This login page will authenticate the user.
- Generate user token
- The login page should generate an identifying token after authenticating the user. Inbenta strongly recommends that you generate encrypted tokens with an expiration time to avoid security issues.
- Receive the user token in the Chatbot integration
- Send the received user token to the Chatbot API
- Store the user token value in the new Chatbot variable using either the POST /conversation/variables endpoint of the Chatbot API or the addVariable method of the Chatbot SDK.
- You may repeat this step any time you refresh the user token. This is optional. The webhook then receives the user token and this action is fully responsible for checking the token's status.
- Start an intent with the webhook action previously configured
- Make sure that you validate the given token before you execute the action. Inbenta recommends to check:
- whether or not the token is expired, and
- whether or not the user authenticated by the token has the permissions required to perform the action. If the token is invalid, return an exception.
- After completing the intent, the Chatbot API sends the user token parameter to the External customer service
- Verify the user token in the external customer service
- If the user token is not valid:
- keep in mind that if a webhook is included within a dialog and the Chatbot receives an "error" status for this webhook, it automatically finishes and exits this dialog.
- the webhook can return a user-friendly error message to report that the user is not logged in and that the action cannot be performed.
- Receive verification status in the Chatbot API.