I’m developing a bot using Rasa Open Source and I want to integrate it with a mobile app. The users must have the possibility to authenticate using their credentials, either before starting the bot or during the conversation. The authentication process is essential because some services of the app and the bot must be accessible only after authentication. Here comes my issue: the authentication is managed outside the bot and initializes a session with a security code associated, which is periodically refreshed. How can I SAFELY keep the bot updated about the security codes so that it can use them to access the user-dependent back-end services it needs?
User authentication is about how users prove that they are the legitimate app users. App authentication covers how the app authenticates towards the backend. Sometimes device authentication is also mentioned, i.e. some device fingerprint being sent towards the backend.
I understand the difference between user authentication and app authentication. In my case, how the bot authenticates to the back-end depends on the user that has authenticated to the app, since some of the back-end services are user-dependent (for example a booking service). My problem is that I can’t figure out how to safely manage this dependency between user authentication and bot authentication, since the app session and the Rasa session work separately but I still need to keep the bot updated about the user-specific code to use to authenticate to the back-end.