Mattermost, Inc.

Authenticating an interactive dialog submission in my integration

I’m implementing an interactive dialog.

I wonder if there is any way that my integration backend can authenticate the submitted request from that dialog. I understood that for interactive messages, I can use the context part of the JSON payload to pass along a secret that my backend can validate. Is there anything similar that I can use with interactive dialogs?

@alex_enyway, I’d suggest using the trigger_id for this purpose. It’s effectively a shared secret between the server and your integration that should remain protected if your integration accepts connections over TLS.

@jesse, thanks! Just to make sure I get this right. Is this how it would work?

  • Slash command calls integration with new trigger_id
  • Integration stores trigger_id for later verification
  • Integration POSTs dialog with trigger_id added to the state so that it’s passed back on submit
  • User submits dialog (the trigger_idmight have expired by now, that’s why I think I’d have to store it)
  • Integration verifies trigger_idfrom dialog’s stateagainst the stored one

Is this what you suggest? Or can I somehow validate the trigger_idagainst the Mattermost server without adding the overhead of storing it myself?