Unanswered

Web Channel Security Not Working in Copilot Studio

(1) Share

Report

Posted on by flojos

Hello Community Members,

I hope you’re all doing well! I’ve been using Microsoft Copilot Studio to build and deploy my chatbot on our custom website app. However, I’ve encountered an issue related to web channel security.

Here are the details of the problem:

Issue: Web channel security is not functioning as expected. It works sometimes and not others.
Scenario: I want to restrict access to my bot using the secret and tokens. but I often get a 403 Forbitten error when fetching the token. we tested different bots with the following dummy implementation (note we will do all the server site security configuration just did it this way for testing:

 var chatWindow = document.getElementById('chatWindow');
 
 var secret ='secret put here';

fetch('https://directline.botframework.com/v3/directline/tokens/generate', {
 method: 'POST',
 headers: {
 'Authorization': 'Bearer ' + secret
 }
})
.then(response => response.json())
.then(data => {
 var chatWindow = document.getElementById('chatWindow');
 chatWindow.src='https://copilotstudio.microsoft.com/XXXXXXXXXXXXXXXXXXXXXXXXXXXX&token=' + data.token;
})
.catch(error => console.error('Error:', error));

Desired Outcome: I’d like to ensure that only authenticated requests can interact with my bot via the web channel and that the bot can retrieve and pass on the tokens.

Questions:

Has anyone been able to use the Direct Line API 3.0?
Are there any additional steps I need to take to enforce web channel security effectively?

Categories:

Publish & channel management

I have the same question (0)

All responses (5)

Answers (0)

adilei on at

Like (0)

Report
Where is this pattern taken from? i.e. a pattern where the token is being passed as a URL parameter?

The sample here should work: Customize the Web Chat canvas - Microsoft Copilot Studio | Microsoft Learn,

Specifically, this section:
const directLine = WebChat.createDirectLine({ domain: new URL('v3/directline', directLineURL), token }); // Sends "startConversation" event when the connection is established. const subscription = directLine.connectionStatus$.subscribe({ next(value) { if (value === 2) { directLine .postActivity({ localTimezone: Intl.DateTimeFormat().resolvedOptions().timeZone, locale, name: 'startConversation', type: 'event' }) .subscribe(); // Only send the event once, unsubscribe after the event is sent. subscription.unsubscribe(); } } }); WebChat.renderWebChat({ directLine, locale, styleOptions }, document.getElementById('webchat'));

Was this reply helpful? Yes No
yukiko0219 5 on at

Like (0)

Report
I am also facing a similar issue.

Following is an example from https://github.com/microsoft/BotFramework-WebChat:

import React, { useMemo } from 'react'; import ReactWebChat, { createDirectLine } from 'botframework-webchat'; export default () => { const directLine = useMemo(() => createDirectLine({ token: 'YOUR_DIRECT_LINE_TOKEN' }), []); return <ReactWebChat directLine={directLine} userID="YOUR_USER_ID" />; };

the connection is sometimes successful, however, it times out in most cases.
When I try to refresh the token, I get "Conversation not found" error

Was this reply helpful? Yes No
adilei on at

Like (0)

Report

Are you trying to connect to copilots/bots in different regions?

Was this reply helpful? Yes No
yukiko0219 5 on at

Like (0)

Report

I am trying to connect copilots in the US. (my conversation id also ends in "-us")

Was this reply helpful? Yes No
adilei on at

Like (0)

Report

If it's an intermittent issue, try raising a case with support. I'm seeing a similar (older) issue here: Error with Power Virtual Agent Bot: Site Missing code 403 from https://directline.botframework.com/v3/directline/conversations · Issue #4625 · microsoft/BotFramework-WebChat (github.com)

Was this reply helpful? Yes No