The network traffic initiated by Dialogflow for webhook requests is sent on a public network. To ensure that traffic is both secure and trusted in both directions, Dialogflow optionally supports Mutual TLS authentication (mTLS). During Dialogflow's standard TLS handshake, your webhook server presents a certificate that can be validated by Dialogflow, either by following the Certificate Authority chain or by comparing the certificate to a Custom CA certificate. By enabling mTLS on your webhook server, it will be able to authenticate the Google certificate presented by Dialogflow to your webhook server for validation, completing the establishment of mutual trust.
Requesting mTLS
To request mTLS:
- Prepare your webhook HTTPS server to request the client certificate during the TLS handshake.
- Your webhook server should verify the client certificate upon receiving it.
- Install a certificate chain for your webhook server, which can be mutually trusted by both client and server. Applications connecting to Google services should trust all the Certificate Authorities listed by Google Trust Services. You can download root certs from: https://pki.goog/.
Sample call to a webhook server using mTLS
This example uses the agent shown in the quickstart with a
webhook server
running
openssl
.
- Sample setup
- A Dialogflow ES agent that greets the end user and queries a webhook pointing to a standalone web server.
- A private key for TLS communication in a file named
key.pem
. - A certificate chain signed by a
publicly-trusted
CA (Certificate Authority) in a file named
fullchain.pem
.
-
Execute the
openssl s_server
program in the server machine.sudo openssl s_server -key key.pem -cert fullchain.pem -accept 443 -verify 1
- A request is sent to the agent from a client machine. For this example, the request is "Hi". This request can be sent using the Dialogflow Console, or through an API call.
-
Output of
openssl s_server
in the server machine.verify depth is 1 Using default temp DH parameters ACCEPT depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1 verify return:1 depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1D4 verify return:1 depth=0 CN = *.dialogflow.com verify return:1 -----BEGIN SSL SESSION PARAMETERS----- MII... -----END SSL SESSION PARAMETERS----- Client certificate -----BEGIN CERTIFICATE----- MII... -----END CERTIFICATE----- subject=CN = *.dialogflow.com issuer=C = US, O = Google Trust Services LLC, CN = GTS CA 1D4 Shared ciphers:TLS_AES_128_GCM_SHA256:... Signature Algorithms: ECDSA+SHA256:... Shared Signature Algorithms: ECDSA+SHA256:... Peer signing digest: SHA256 Peer signature type: RSA-PSS Supported Elliptic Groups: 0x6A6A:... Shared Elliptic groups: X25519:... CIPHER is TLS_AES_128_GCM_SHA256 Secure Renegotiation IS NOT supported POST /dialogflowFulfillment HTTP/1.1 authorization: Bearer ey... content-type: application/json Host: www.example.com Content-Length: 1011 Connection: keep-alive Accept: */* User-Agent: Google-Dialogflow Accept-Encoding: gzip, deflate, br { "responseId": "96c0029a-149d-4f5d-b225-0b0bb0f0c8d9-afbcf665", "queryResult": { "queryText": "Hi", "action": "input.welcome", "parameters": { }, "allRequiredParamsPresent": true, "outputContexts": [{ "name": "projects/PROJECT-ID/agent/sessions/58ab33f3-b57a-aae9-fb23-8306242d4871/contexts/__system_counters__", "parameters": { "no-input": 0.0, "no-match": 0.0 } }], "intent": { "name": "projects/PROJECT-ID/agent/intents/399277d6-2ed7-4329-840d-8baa0f60480e", "displayName": "Default Welcome Intent" }, "intentDetectionConfidence": 1.0, "languageCode": "en", "sentimentAnalysisResult": { "queryTextSentiment": { "score": 0.2, "magnitude": 0.2 } } }, "originalDetectIntentRequest": { "source": "DIALOGFLOW_CONSOLE", "payload": { } }, "session": "projects/PROJECT-ID/agent/sessions/58ab33f3-b57a-aae9-fb23-8306242d4871" }ERROR shutting down SSL CONNECTION CLOSED
Best Practice
To make sure that webhook requests are initiated from your own Dialogflow agents, you should verify the Bearer service identity token from the request's Authorization header. Alternatively, you can verify a session parameter provided previously by an authentication server on your side.
Errors
If the client certificate validation fails (for example, the webhook server does not trust the client certificate), the TLS handshake fails and the session terminates.
Common error messages:
Error message | Explanation |
---|---|
Failed to verify client's certificate: x509: certificate signed by unknown authority | Dialogflow sends its client certificate to the external webhook, but the external webhook cannot verify it. This may be because the external webhook didn't install the CA chain correctly. All root CAs from Google should be trusted. |