Web Chat embedding example / ease of doing correctly

[ChrisRisner]

Currently, if you go to the WebChat channel in the Azure portal for a bot the embed code demonstrates how to iframe in a bot using your secret key. Given the risk in this approach, the page should more explicitly tell developers that this approach should only be used for local testing and never be deployed anywhere.

There are assorted other samples for how to embed webchat including how to embed using a token you retrieve using your secret, as well as how to reach out to an endpoint to get a token with each load of webchat. As the last is a common scenario and the best direction to point users it, it might be a good idea to provide boilerplate code to the Bot Builder SDKs so an endpoint to fulfill this purpose could be added and exposed in a single line of code.

[corinagum]

In v4 of Web Chat, this repo provides samples and documentation on protecting your secret and providing the user the information to know that we don't recommend using said secret except in testing situations. We have an open issue to track the creation of an explicit sample with a token server: #1534. Web Chat's Mock Bot is also openly available for perusal should anyone feel the need to dig deeper:

https://github.com/compulim/BotFramework-MockBot/blob/master/src/generateDirectLineToken.js https://github.com/compulim/BotFramework-MockBot/blob/master/src/renewDirectLineToken.js https://github.com/compulim/BotFramework-MockBot/blob/master/src/index.ts#L109

The original issue you mention is the lack of documentation about secrets on Azure Portal, which is using Web Chat v3. #1086 is our tracking issue for a significant update to the portal that will include a bump to v4 and will address this and several others issues. Please feel free to track that issue and ask for more detail from @compulim over there.

As for adding boilerplate code to the BotBuilder SDK, this would not be decision made by the Web Chat team, nor would it be implemented on this repo. I will bring this up in our stand up and see that this issue is transferred for discussion with the SDK team.

[edit by corinagum]: Fixing Web Chat links post-transfer

[ChrisRisner]

Thank you for the update and the pointers.

[compulim]

Also related to #1218 and #1412. Will talk to the team if it should be in our bucket or not.

[edit by corinagum]: Fixing Web Chat links post-transfer

[stevengum]

This looks more like a botframework-services issue or VSO work item. @Andrea-Orimoto FYI.

[corinagum]

Thanks for the info. I don't have the ability to transfer to -services. Are you able to, or could @Andrea-Orimoto do that?

[Andrea-Orimoto]

The Webchat embed UI in the Azure Portal does heave a link to an advanced customization options doc page, which explains how to get the DL token from the secret and use that instead. https://github.com/microsoft/BotFramework-WebChat/blob/master/README.md

I'm going to close this issue. If you feel like there is a better way, please reopen and provide your suggestion.

Thanks! Andrea