How can I authenticate my REST or Custom Connector channels?

I have Rasa-X set up on a server using the Quick Install and can send messages through the REST API to Rasa (which land in Rasa-X as being in the “rest” channel). However, this channel is not protected, and anyone is able to post to it.

It got me scratching my head that authentication via the token only applies to HTTP APIs that grab the model, such as api/projects/default/models/tags/production but not ones like /webhooks/<channel>/webhook. This means that my rest channel is exposed.

I’ve looked a lot into ways to authenticate this channel but have found nothing that works. I attempted to implement a custom channel as implemented in this thread: RASA Custom Connector keep giving custom response - #5 by athenasaurav since the implementation in the docs was throwing errors.

However, adding an access token to the credentials did not work, and I can still access both /webhooks/rest/webhook and /webhooks/myio/webhook from anywhere.

I also don’t quite understand how to implement Token-Based Auth (as explained here: Rasa Open Source HTTP API) in the docker-compose file from the Quick Install.

Can anyone give me some pointers here? I’m pretty sure there is something I’m missing.

perhaps nginx JWT authentication can secure your REST endpoint.

In reality your rest endpoint will never be exposed, you would have an API GW and since this is M2M authentication as it is supposed to, you can secure it at the GW itself

Thank you, and sorry if this is a silly question, but how come I can post requests to the rest channel in Rasa using cURL if it’s not exposed? If it were authenticated, I would expect to get a different status code telling me I’m not authenticated.

What i meant is that your Rasa REST endpoint wont be exposed directly to the web but should stay behind a proxy such as nginx where you can control authentication.

Right thanks. So the reason I can now post to it from anywhere is that it’s not properly authenticated on nginx?

indeed. nginx is one way to secure it. in nginx you can add jwt authentication. it is the easiest

another option would be to simply create a custom channel and secure it.

Thanks. I’ve managed to create a custom channel but was not able to secure it. Do you have any links that could guide me as to how to do that?

i am literally writing about it i will share the link soon. I use auth0 as an authentication service

You could try this and let me know

Thanks! I’ll try it out and report back.

Hi @souvikg10 - thanks for the guide - very helpful!

I’m trying to implement your suggestion of editing the nginx config that already fronts the Rasa X deployment to protect the ReST channel. I have a running helm chart deployment, do you know how I can pass in / edit a running deployment to provide the extra location config to nginx?

I’ve got a helm-value.yml with this:

ingress:
  annotations:
    nginx.ingress.kubernetes.io/configuration-snippet: |
      location /webhooks/rest/webhook {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        auth_request /_oauth2_token_introspection;
        proxy_pass http://docker-stack/webhooks/rest/webhook;
      }

      location /_oauth2_token_introspection {
        internal;
        proxy_method      POST;
        proxy_set_header  Content-Type "application/json";
        proxy_set_body    '{"client_id":"$http_client_id","client_secret":"$http_client_secret","audience":"http://localhost/webhooks/rest/webhook","grant_type":"client_credentials"}';
        proxy_pass        https://<___MY TENANT___>.eu.auth0.auth0.com/oauth/token;
      }

but post the upgrade:

$ helm upgrade --install <release_name> --reuse-values --values helm-values.yml

When I drop into into the nginx pod the config is the same (i.e. no added location) and the ReST channel is still unprotected.

From the looks of the docs neither the location-snippet or configuration-snippet actually allow adding a new location to the nginx config… https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#location-snippet https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#configuration-snippet

probably the best thing you can do then is override the docker image used rasa/nginx: Docker Hub

with your own by importing the config into the conf.d location while building the image and thus use that image for deployment with helm

makes sense - will give that a shot. thanks!

Is there a way to secure the socketio channel with custom authentication like from cookies? I am facing issues reading cookies , seems like HTTP session is not able to share the cookie with socketio session.