Skip to content

IBM/secure-chatbot-interactions-using-security-verify

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

62 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Establish identity & trust during chatbot interactions using IBM Security Verify

Chat bots are becoming a popular way to interact with customers. In any business conversation, validation of the customer identity is very essential. Identity verification prevents anyone from carrying out an action on other people's behalf, creating false identities, or committing fraud. IBM Security Verify can be used to establish identity and trust during chatbot interactions.

IBM Security Verify protects users and applications with a cloud-native, software-as-a-service (SaaS) approach that leverages the cloud. Beyond single-sign on and multifactor authentication, Verify is a modernized, modular IDaaS that provides deep AI-powered context for risk based authentication and adaptive access. IBM Security Verify provides a centralized user management interface that can be managed through the admin UI or automatically through REST APIs. It is built upon open standards such as OpenID Connect and SAML 2.0. There are a number of multifactor verification methods available out-of-the-box like SMS, Email, Voice callback one-time passcode, Push notification approval, Knowledge questions and so on.

This code pattern uses the single-sign on authentication and email based multifactor verification method.

This code pattern demonstrates a scenario in the Online Retail domain where customers register on the portal, and subsequently login to the portal to shop for merchandise. After a customer has purchased items, they want to perform the below operations:

  • Check the status of the order
  • Cancel the order

These two operations can be done with a conversational chatbot without a need to login to the portal. Chatbot is integrated with the webapp to avoid the hassle of logging into the portal to check order status or cancel the order. The identity of the user needs to be ascertained to allow these two operations. Though the user need not login to start conversation with chatbot, the user is authenticated by verifying email-id and the one time code sent by Security Verify. Once the identity is ascertained, the chatbot allows user to communicate further regarding their orders.

The code pattern explains the following:

  • Add SSO to a Java based webapp
  • Design chatbot conversation using Watson Assistant
  • Implementing IBM Cloud Functions to be used as webhook with chatbot
  • Integration of Security Verify with Watson assistant to establish identity and trust (Chatbot security)

Flow

Architecture

  1. An user accesses the E-Commerce portal app.
  2. The user registers on the portal using IBM Security Verify and subsequently logs in.
  3. After login, the user can shop for merchandise, and the transactions are stored in database.
  4. Later, user accesses chatbot to check order status or cancel the order without logging into the app.
  5. Chatbot verifies the user identity with the help of security verify using the user's registered email id.
  6. Once user's identity is verified, chatbot communicates with the e-commerce portal app via REST APIs for the required action.

Pre-requisites

Steps

  1. Clone the repository
  2. Create IBM Cloud Services
  3. Configure Security Verify
  4. Create Cloud Functions Action
  5. Setup Watson Assistant Chatbot
  6. Deploy E-Commerce Portal Application
  7. Access the Application

1. Clone the repository

From a command terminal, run the below command to clone the repo:

git clone https://github.com/IBM/secure-chatbot-interactions-using-security-verify

2. Create IBM Cloud Services

2.1 Sign up for IBM Security Verify

Click Security Verify to sign up for Security Verify. After you sign up for an account, the account URL (https://[tenant name].verify.ibm.com/ui/admin) and password is sent in an email.

2.2 Create IBM DB2 Service instance

Login to IBM Cloud, in IBM Cloud Catalog search of DB2. Click on the Db2 tile.

Select an appropriate plan. Read and accept the license agreement. You may leave the other options to their default values. Click on Create button. It will take a minute or so to provision an instance.

Make a note of service credentials

  • Click the newly created db2 entry in IBM Cloud Resource list
  • Click Service credentials on the left hand side navigation menu. If there are no credentials, then click on New credential button and create new credentials.

create_db2_credential

Note the username, password, host and port of the DB2 instance. The will be needed for configuring E-Commerce Portal Application.

note_credential

2.3 Create Watson Assistant Service instance

  • Login to IBM Cloud, in IBM Cloud Catalog search of Assistant and create a Watson Assistant service by selecting the Lite plan and clicking on Create.

  • Click Launch Watson Assistant to launch console.

2.4 Create an instance of OpenShift cluster

Go to this link to create an instance of OpenShift cluster.

Make a note of the Ingress Subdomain URL: ingress

3. Configure Security Verify

Please follow the instructions here to configure Security Verify.

4. Create Cloud Functions Action

Login to your IBM Cloud account. On the dashboard, click on the hamburger menu and navigate to Functions and click on Actions.

Click the Create button to create a new action. Enter a name for action under Action Name. Leave Enclosing Package as (Default Package) itself. Under Runtime select option for Node.js.

Click on Create button. You are presented with actions code editor. Replace the existing code with the javascript code here.

Next, in the javascript code, update the value of following variables (mentioned in the beginning of the file):

//Security Verify Details
var tenant_url = "xxxx.verify.ibm.com"
var client_id = "xxxx"
var client_secret = "xxxx"

//API Details
var GET_ACTIVE_ORDERS_URL='http://<openshift_url>/portal/ecomm/auth/getactiveorders'
var GET_ALL_ORDERS_URL = 'http://<openshift_url>/portal/ecomm/auth/getorders'
var CANCEL_ORDER_URL = 'http://<openshift_url>/ecomm/auth/cancelorder'

Note: Please use the security verify credentials noted in step 3 and replace openshift_url by the OpenShift ingress subdomain url as noted in step 2.4.

Click Save button on the top right of the code editor.

Enable cloud function action as web action

For the action just created, click Endpoints on the left side navigation menu. Select the checkbox Enable as Web Action. Click the Save button on the right top corner. When saved, Copy web action url icon, under Web Action section is enabled. Click the icon to copy the webhook url. This URL will be used in Watson Assistant for it to call the actions in Cloud Functions.

Webhook URL

5. Setup Watson Assistant Chatbot

Login to IBM Cloud. On the dashboard, click on the hamburger menu and click Resource List. Click on the Watson Assistant instance that you created earlier. Then click on Launch Watson Assistant button to launch Watson Assistant dashboard.

  • In the Watson Assistant home page, click skills option on the left menu options.

If you do not see skills icon, then the Watson assistant view could be for the new experience UI. For this code pattern, we will use the classic view and hence switch to classic view by navigating to manage (user icon on top right corner) and clicking Switch to classic experience.

  • Click Create skill button, then click Dialog skill tile. Click Next.
  • Select Upload skill tab. Drag and drop or browse to select the file in /sources/chatbot/dialog/bot-dialog.json. Click Upload.
  • On the left navigation links click Options->Webhooks on the left hand navigation.
  • In URL text field, enter the REST API endpoint as noted in step 5 and append it with .json. It should look something like this
     https://eu-gb.functions.appdomain.cloud/api/v1/web/.../default/sample.json
    
  • Click Assistants icon on the top left corner of Watson Assistant screen
  • Click Create assistant.
  • Give a name for your assistant, optionally enter a description and click Create assistant.
  • On the just created Assistant screen, click the Preview button. Make a note of integrationID, serviceInstanceID and regionfrom the link provided under the section Share this link. These will be used in next step.
  • Close the window using the x button placed just below the user icon on the top right corner.

6. Deploy E-Commerce Portal Application

Login to your OpenShift cluster from command line

Login to your OpenShift cluster. Access the IBM Cloud Dashboard > Clusters (under Resource Summary) > click on your OpenShift Cluster > OpenShift web Console. Click the dropdown next to your username at the top of the OpenShift web console and select Copy Login Command. Select Display Token and copy the oc login command from the web console and paste it into the terminal on your workstation. Run the command to login to the cluster using oc command line.

6.1 Configure E-Commerce Portal Service

6.1.1 Changes to server.xml

In the cloned repo folder - go to src/main/liberty/config. Open server.xml.

Make the below changes for the openidConnectClient element and save the file:

  • Replace {{ingress-sub-domain}} with Ingress subdomain of the OpenShift cluster.
  • Replace {{clientId}} and {{clientSecret}} with the Client ID and Client secret noted on the Sign-on tab of Security Verify.
  • Replace {{tenantId}} with the tenant id of Security Verify noted at the time of creation.
<openidConnectClient id="home"
		signatureAlgorithm="RS256"
		httpsRequired="false"    
		redirectToRPHostAndPort="http://ecomm-portal-chatbot.{{ingress-sub-domain}}/portal/ecomm"
		clientId="{{clientId}}"
		clientSecret="{{clientSecret}}"
		authorizationEndpointUrl="https://{{tenantId}}.verify.ibm.com/v1.0/endpoint/default/authorize"
		tokenEndpointUrl="https://{{tenantId}}.verify.ibm.com/v1.0/endpoint/default/token"></openidConnectClient>

6.1.2 Changes to db.config

In the cloned repo folder - go to src/main/resources. Open db.config.

Replace the {{host}} and {{port}} with the host and port you noted during Db2 credentials creation. Enter the userid, password and schema with the username, password and username(in uppercase). Save the file.

Note: the schema should be in uppercase of the username noted in Db2 credentials.

jdbcurl=jdbc:db2://{{host}}:{{port}}/bludb:sslConnection=true;
userid=
password=
schema=

6.1.3 Changes to verify.config In the cloned repo folder - go to src/main/resources. Open verify.config.

Make the below changes and save the file:

  • Replace {{tenant-id}} with the tenant id of Security Verify noted at the time of creation.
  • For clientId and clientSecret enter the Client ID and Client secret noted on the Sign-on tab of Security Verify.
  • For apiClientId and apiClientSecret enter the Client ID and Client secret noted on the API Access tab of Security Verify.
introspectionUrl=https://{{tenant-id}}.verify.ibm.com/v1.0/endpoint/default/introspect
tokenUrl=https://{{tenant-id}}.verify.ibm.com/v1.0/endpoint/default/token
userInfoUrl=https://{{tenant-id}}.verify.ibm.com/v1.0/endpoint/default/userinfo
clientId=
clientSecret=
usersUrl=https://{{tenant-id}}.verify.ibm.com/v2.0/Users
apiClientId=
apiClientSecret=

6.1.4 Embed chatbot on the home page of the E-Commerce Portal Application

In the cloned repo folder - go to src/main/resources. Open home.html. Embed the chatbot script element before the closingbody tag.

Note: Replace the integration ID, region and instance ID of the Watson Assistant noted in step 5.

<script>
		window.watsonAssistantChatOptions = {
			integrationID : "fxxxxeb", // The ID of this integration.
			region : "eu-gb", // The region your integration is hosted in.
			serviceInstanceID : "bxxxxx4", // The ID of your service instance.
			onLoad : function(instance) {
				instance.render();
			}
		};
		setTimeout(function() {
			const t = document.createElement('script');
			t.src = "https://web-chat.global.assistant.watson.appdomain.cloud/versions/"
					+ (window.watsonAssistantChatOptions.clientVersion || 'latest')
					+ "/WatsonAssistantChatEntry.js"
			document.head.appendChild(t);
		});
</script>

6.2 Deploy E-Commerce Portal application

On the terminal window, got to the repository folder that we cloned earlier. Go to the directory - sources/ins-portal-app/src/main/java/com/example/legacy/ecomm. Open the file ECommAppEndpoint.java.

Replace the placeholder {{ingress-sub-domain}} with the ingress sub domain of the OpenShift cluster you noted earlier. Save the file.

private static String ingressSubDomain = "ecomm-portal-chatbot.{{ingress-sub-domain}}/";

Now change directory to /sources/ecomm-portal in the cloned repo folder. Run the following commands to deploy E-Commerce Portal application.

oc new-project chatbot
mvn clean install
oc new-app . --name=ecomm-portal --strategy=docker
oc start-build ecomm-portal --from-dir=.
oc logs -f bc/ecomm-portal
oc expose svc/ecomm-portal

Ensure that the application is started successfully using the command oc get pods. Also make a note of the route using the command oc get routes.

6.3 Configure Db2 database

In this step, we will create two tables in the Db2 database - CUSTOMER and ORDERS table.

Invoke the URL - http://ecomm-portal-chatbot.{{IngressSubdomainURL}}/portal/ecomm/setupdb

Note: Replace {{IngressSubdomainURL}} with Ingress subdomain of the OpenShift cluster.

7. Access the Application

Access the app using the link noted in step 6.2.

When you access the portal at the very first time, user registration is required. Click on Register, fill the registration form and submit. On submission, it will create a user in Security Verify and send an email with temporary password to the user.

After receiving the email from Security Verify (stating Account created), access the app and do login. You need to provide the temporary password for the first time and then it will ask you to change the password. After successful login, you can access the portal to shop the merchandise.

The shopping experience and how to use chatbot to check the order status or to cancel the order is shown here.

Demo

The chatbot helps you to do the following after successful identity verification:

  • List active orders: When you order any item(s), the transaction gets recorded and marked as active. This option shows you the ordered items which are marked as active.
  • Cancel order: It allows you to cancel the ordered item after providing the order ID. The order ID can be found in the response of List active orders. After cancellation, the order gets tagged as cancelled.
  • List all orders: It shows the entire order history. The response includes the orders with active and cancelled status.

Summary

In this code pattern you saw how to enable single sign-on for a web application, and also chatbot integration with Identity and Access Management using IBM Security Verify. Both businesses and customers find it convenient to communicate using a conversational chatbot. Ascertaining customer identity in a chatbot conversation becomes all the more important. Hope you enjoyed this code pattern!

For more information on extending the security aspects for your applications using Security Verify, refer to this link.

License

This code pattern is licensed under the Apache License, Version 2. Separate third-party code objects invoked within this code pattern are licensed by their respective providers pursuant to their own separate licenses. Contributions are subject to the Developer Certificate of Origin, Version 1.1 and the Apache License, Version 2.

Apache License FAQ