Creating a tracking item to improve guidance for the token API within Web Chat. We recommend using this API when possible to enhance client security, but the readme and docs do not currently emphasize or support its use as emphatically as they should.
Some areas of improvement:
- A new docs page describing the benefits and considerations/tradeoffs of the token API
- The Web Chat readme.md should more strongly recommend the token API and link to the doc page above
- The samples are pretty good already and mention using the token API. The summary text can be improved. Existing text:
// To talk to your bot, you should use the token exchanged using your Direct Line secret.
// You should never put the Direct Line secret in the browser or client app.
// https://docs.microsoft.com/en-us/azure/bot-service/rest-api/bot-framework-rest-direct-line-3-0-authentication
Proposed text:
// Your client code must provide either a secret or a token to talk to your bot.
// Tokens are more secure. To learn about the differences between secrets and tokens
// and to understand the risks associated with using secrets, visit [link to new doc page]
Creating a tracking item to improve guidance for the token API within Web Chat. We recommend using this API when possible to enhance client security, but the readme and docs do not currently emphasize or support its use as emphatically as they should.
Some areas of improvement:
Proposed text: