I have to design an e-learning tutorbot that has multiple possible channels living in parallel:
A live chat (to support learner with FAQ when browsing the e-learning application website)
A IM chat as Telegram (for asyncronous notifications)
An email (for anything else)
...
Take a part the connectors gateway communication logics.
My problem/question is mainly about how to manage user identification.
I want that a user is identified with an unique identifier (call it conversation_id) regardless of channel.
In the mentioned scenario user has one different ID for each channel:
An account_id on the website (e.g. solyarisoftware)
A chat_id on Telegram (e.g. 1234567890)
An email_address (e.g. giorgio.robino#blabla.com)
So, how to let RASA chatbot accept requests coming from the same user (but from different channels)? In other words, how can I map multiple channel IDs into a RASA unique ID, say the conversation_id ?
At the end of the day I need to generate a lookup table that map a UUID with all channel ids. Right?
But is not clear to me what's a good (simple) user experience. At first glance seems to me that that I need a sort of login/registration flow: each time user submit a request on channel X, only for the first time, the user must identify himself somewhere (with his email/account_id?). So by example trough Telegram, when the Telegram connector server receive a /start command, the bot must ask the user email(or account_id), to be able to associate 1-to-1 the TG chat_id with that email. Not perfect in terms of security, I admit.
Any experience/idea/suggestion?
Thanks/giorgio
I don't have an hands-on experience on this but it is something I have been thinking myself for a while.
Indeed the 'merge' of the different accounts (across channels) is something that we need to maintain ourselves, making sure each channel user ID is eventually mapped to a universal user ID (lookup table makes sense to me).
Since you have a website, an email address and multiple channels I would say the assumption is that users first registered on the web site. Each user has a unique email address and obtains an account secured by username/password, as well as a unique secret token.
When chatting on browser (ie Rasa WebChat) you can initialise the plugin with custom parameters (ie userId=1 or token=X), in this case the chat session is assigned to the given user id.
When using Telegram (or other messenger application) I would (at the very first access) ask the user if he/she has already registered. If yes then I would ask the token: this can be used to perform the map and link this Telegram user to the universal user Id. Same approach for other channels.
Depending on your needs you might need to deal with anonymous access (users don't provide the token) or maybe you want to provide a different token for each channel (more secure, but requires more work and an easy way to explain this to users).
Finally something to look at (I haven't tried myself) is the possibility to provide in the web site the option to open Telegram (or others) passing an extra parameter, which would allow you to perform the mapping. I don't know if this is possible, but it would simplify this process for your end users. Or the other way around: the users in Telegram could be provided with a link which opens the website, where they can login and be recognised.
Related
I am working on a web application which is based on Google App Engine (GAE). The requirement of the application is that one user can be associated with multiple company accounts.
My application has two main types of accounts. One is that main Admin/Company account. Other is the employee account (i.e. the persons who work under a company). Now, what I want to do is that to allow an employee to work under more than one companies, but he does not have to make a separate account for each company. His single account can be associated with multiple companies.
I have explored different platforms which are already supporting this feature. The major ones which I found are Slack and Asana. And my problem can be perfectly mapped to what Slack is doing right now i.e. I create a single account on Slack and I can join multiple workspaces on Slack using this single account.
I want to achieve the same in my application too. I am curious that how Slack is supporting this feature right now? Does it send some ID with every request to the server which indicates that the activity which just has been done is associated with the workspace under this ID? Or there is some unique sort of token associated with every workspace (on Slack API level)?
I do have such a model in my app. A unique auth_token is associated with every company account. So, I am thinking that when an employee wants to do an activity for a specific company he will send this unique token with the request to the server so that server knows for which company the activity was performed.
Does anybody know what is the best way of achieving this?
There are two different concepts at work here:
Relation between account and company / workspace
The data structure for the Slack account is designed such that it can be linked to multiple Slack workspaces, e.g. in SQL you would have a many-2-many relation between the accounts and the workspaces table.
Staying logged in
The way Slack and others Single-Sign-On provides like Google SSO keep you logged in is by settings a browser cookie. That cookie would usually be some kind of crypto hash and the SSO provider will use it to identify to which account the current user belongs to or to request a login via OAuth if the cookie is missing / invalid.
This can also be achieved partly with server sessions (which also uses cookies). Using server sessions is easier to implement than implementing your own (secure) cookie solution, however the user will only stay logged in as long as the browser stays open. But that should be sufficient for most solutions.
Note that tokens for the Slack API work very differently. e.g. they have to be generated per workspace, user and app.
I am making a telegram bot, which requires a registration and further usage of bot's services, regularly updating user's data.
I have some cases, when I need to edit user's data, but all I can receive from chat is chat.id.
I am planning to use it as a unique value for identifying specifically that user.
The question is, does this attribute remain same for all the time user interacts with bot? I suppose that it will change, when user deletes chat, but will it change in other cases?
The chat.id of a Chat between a bot and a User will never change. In this situation the chat.id represents the id of the User.
The company I am working at offers a web based calculation tool which has to be paid monthly (a fixed price for a license).
Normally, users go to our website and authenticate themselves with their credentials and then can use the application. When they cancel their subscription they are not able to use the tool anymore, obviously.
Now another company called us because they want to provide our application for their own clients. We have already fixed that they have to pay a license fee for every of their clients. But there is also a restriction: their users should not have to log in on any of our websites (only on the website of our client). But the web application is hosted on our server and is loaded as an iframe.
Now there is that problem that we are not sure whether our client tells us the correct number of people who use our application wherefore we would like to verify that in some way.
One of my ideas is the following:
Our client has to call an API for every users who would like to use our application in order to submit some information like name or an unique ID of that user
When the user would like to access our application, an ID parameter is appended to the iFrame URL
I think that this is not a very good solution because our client could use the same ID for every access and pretend that only one users uses the application. By saving the ip address and id of the accesses it is possible to determine fraud in some cases because ip address will not change frequently.
We even do not have to know WHICH user accesses the application but only the NUMBER of users per month.
I am interested if there is a cryptographic solution where it is hard to cheat. Something like an authentication method which does not require any interaction of the user.
Well you can't. You should require the partner to issue a token for each user so you know they came from the partner.
You could have the partner call an api you expose to issue a one time token for a user and specify user id and IP. You could alternatively have the partner digitally sign such a login request.
If you bill the partner per user, and the partner decitfull he could claim less users.
You can fingerprint the users, you can give long term coockies, you can check IP and fonts installed etc. These will allow you to detect most types of fraud.
If you give a declared userId a cookie and then see him again without it, you assign him a new cookie and then later see the first cookie again while the partner is always declaring same id that is a very strong indicator of fraud.
If I was the decietfull partner I would pair up geographicly close users and merge their IDs. it would look no different from a user with two devices. But this still limits the extent of fraud possible. Two devices per user is plausible. 10 less so.
Find business partners you trust.
So I am testing out Dialogflow and one of the first questions I have is: how does my bot know who it is talking to? I need to identify a user and keep that information for as long as I can. The basic scenario being:
User starts his/her first conversation.
Chatbot send a fulfillment request to the server trying to match a user within its own database.
The user is found, the information (as a JWT or some other token) is sent back to Dialogflow and stored there for further communication. In reality, this part would involve asking for user email, sending a verification code to that email and then verifying the user with the code.
User then starts chatting with a bot and all fulfillment requests get the unique token stored for this very user, so that my REST API knows which user is being served with the response.
Couldn't find anything about it in the docs (maybe I am looking in the wrong places).
There will be several integrations, like Messenger, Viber, Telegram. I dunno, maybe those APIs add some unique information on the user?...
Thanks for the help!
Sorry, I know it's been a while, but maybe this will help someone else.
The right solution here is a user id, not a session id. A user id is provided by the chat platform (Facebook, Slack etc) and is consistent across sessions for the same user.
To get the user id, go to the Fulfillment tab, enable the editor and use a function like so:
let r = request.body.originalDetectIntentRequest
//this makes sure that you're on an integration
if (r["source"]){
return r.payload.data.sender.id;
}
To tie together ids from different platforms, you probably have to have some kind of log-in process every time you encounter a new id on a platform.
Pop,
Sessions are built in already into DialogFlow requests to your fulfilment service, if you check the payload you will find a sessionId, it remains the same for the same client until it expires.
However if you want to identify the user from any of the clients that you can connect to DialogFlow like Messenger then from the same request payload to you you will notice that there is an object named originalRequest that is only available when requests are coming from those clients.
You can personalize those users response eg using their FB firstname in a message to them.
Recently google has added multiple user support to the assistant so how would use the API to identify the person by voice?
It depends what you mean by "identify the person".
There is no way for an Action to get the raw audio, so there is no way for it to do voice printing or anything along those lines.
Although each voice has to be reported against a Google User ID, you do not have direct access to that user ID.
What developers do have access to is a UID that is sent along with each request to your fulfillment server. This UID is consistent across requests, although it can be reset by a user (for example, if they reset their Google Home). You can think of this the same way you think of an HTTP cookie - you can track the UID and, if you see it again, have reasonable assurance it is the same user that accessed it last time. This breaks down, however, for the "default" account on Google Home, since anybody who doesn't have an account will map to this user.
Beyond this, you can also use Account Linking to connect a Google Account consistently to an account in your own system. If you have sufficient authentication in place, or are using one from Google or Facebook for example, this can act as an identity.
There isn't an API for developers to identify users by voice.