Watson Assistant

Expand all | Collapse all

Securing Cloud Function calls from Assistant

  • 1.  Securing Cloud Function calls from Assistant

    Posted Thu August 13, 2020 11:35 AM
    We're building an Assistant that integrates to a government backend in order to check applications in order to update the end user.
    We cannot allow the Function call to be accessible externally for security reasons. We've setup a Secure Gateway service in order to route the Cloud Function calls over that connection. 
    I need to be able to call the Cloud Function without using a publicly available endpoint (even with authentication setup).
    What's the best way to set this up? I've used Actions in Dialog nodes before, which are not publicly visible, but that seems to be depreciated now in favour of webhooks. I've gone over the documentation but haven't been able to figure this out.
    Is there a way to use a Cloud Foundry Namespace to achieve this?
    We're using Watson Assistant Plus plan with the Webchat widget so there is no middleware/backend application routing our messages.
    Thanks in advance for any suggestions.

    Declan Hoare

  • 2.  RE: Securing Cloud Function calls from Assistant

    Posted Fri August 14, 2020 02:57 PM

    Are you saying you can't use a publiic endpoint even if it is secured by some kind of auth?

    Our webhooks only support basic auth, and unfortunately the cloud functions only use IAM, but this outlines how we recommend you should secure your cloud function if needed:


    Otherwise, you can create a middleware app that's hosted anywhere you like, as long as the URL can be called from Assistant with basic auth or whatever other kind of auth you want, maybe passing a secret param, etc.

    The old way of calling actions via the JSON is not being deprecated, but its also not really being enhanced, using JSON, etc.

    Mitch Mason

  • 3.  RE: Securing Cloud Function calls from Assistant

    Posted Tue August 18, 2020 11:45 AM
    Hi Mitch,
    Thanks very much for the reply. Yes, we cannot use an endpoint that is reachable from the internet. Middleware is also not ideal as we're trying to avoid using anything other than IBM components, which is why we've set up the Plus plan and are using the Web Client direct to the Assistant that's available in that plan.
    I'll go ahead and use the Actions for now since they are still supported.
    Many Thanks,

    Declan Hoare

  • 4.  RE: Securing Cloud Function calls from Assistant

    Posted Mon August 24, 2020 09:56 AM


    Not sure if this helps, but assuming you've turned on the security on your web chat integration, you can use the JWT you provide on the call coming from the browser down stream in the dialog as it  is available under $integrations.chat.private.jwt. 

    I know you've mentioned you don't want to use any authentication, but this can be used as means to authenticate with your client backend. This is probably the most secured mechanism you can achieve as the jwt was originally created by the client!