I have an integration between a conversational AI and Genesys Cloud. An end user talks to the conversational AI. If the AI cannot answer the user's question, it escalates the conversation to Genesys Cloud and a human agent answers. The end user can now talk to the human agent, but the AI is still watching and facilitating the conversation.
When the conversation is ongoing, the AI can supply useful information to the agent on the fly. To display this information, I am using a Web Page component in a Script that runs in the agent's browser -
The web page has a URL like https://someAIUrlHere.com/usefulInfo/{{Scripter.Interaction ID}}
When this URL is hit, the AI returns a page that has additional useful information for the agent that is relevant to the current conversation.
But I'm not sure how I can make this page secure. I don't see any option on the Web Page component to add a header where I could pass a secret key or something.
So, as it stands, the AI has no good way of knowing that the request indeed came from Genesys. A malicious user could enter that same URL in their browser and get the results from the AI.
The best I think I can do is to include additional fields in the URL, such as the agent ID and the script ID, which make it impractical for the URL to be guessed unless the malicious user has some level of access to Genesys and knows what script is invoked and what the agent ID and interaction ID are. However, if the URL is leaked in some way (through server logs, for example), then anyone can access it.
Good morning Wesley, thanks for joining us on the forum!
There is no relationship between the Genesys Cloud app and the page that gets loaded in the iframe; they are intentionally isolated from one another. You can pass data in the path and query string, but it is technically impossible in a web browser environment for a trust to exist between your app and the Genesys Cloud app. Your app must establish its own trust with the user. The page that's getting loaded in the iframe must be responsible for its own security and must be authorized by users visiting it using whatever means are appropriate for your users.
The only thing Genesys can offer you in this regard is Genesys Cloud Authorization used to authorize 3rd party apps to use the Genesys Cloud API. This method would allow your app to be authorized and given a Genesys Cloud auth token so you can verify the identify of the user using your app by making an API request with the token to the Genesys Cloud API. You can then know who the user is and restrict access within your app accordingly. There are various OAuth flows available depending on the architecture of your application.
If you have your own identity provider you'd like to use to authorize your users, you can of course use that as well. The basic concept is generally the same no matter what identity provider you're using; the user authenticates with the IDP and the IDP provides your app with a token to prove that it's been authorized by a known and allowed user.
Implementing authentication for individual users is unfortunately not feasible for us. I tried using a Web Services Data Action on page load to achieve this, but ran into "Blocked a frame with origin xyz from accessing a cross-origin frame", as was expected. I will see what I can manage with the current capabilities of the Genesys Cloud app. There are other dynamically generated values such as the Agent Communication ID that may be useful, than the static script ID.
However, I should mention that perhaps a header could be added to the Web Page request and isolation still maintained between the two apps. Salesforce, for example, takes a slightly more tightly coupled approach with its Canvas Apps. There, the initial web page request (similar to Genesys) is a POST with a signed payload that helps the receiving endpoint identify who the sender is (and it is an iframe within Salesforce). This may not be feasible for Genesys due to architectural design reasons, but a more loosely coupled design like allowing a POST with an initial payload / header fields might be feasible and quite useful too for similar scenarios.
I would recommend you submit your request about adding a header to our the Web Page to our Ideas portal. Our product managers will take a look at the feature request look at the overall popularity of the idea and then take it back to the engineering teams for feasibility.
Thanks,
John Carnell
Manager, Developer Engagement
John, thank you. I wish I could easily add an idea there, but it appears the Ideas portal is accessible only to Genesys employees or partners. My regular Genesys login credentials don't work with it. Right now I'm not in a position to have our Genesys account manager submit an idea on my behalf.