How to pass authentication to iframe from host app?
I will implement a chat bot web app that can be used on other websites. I plan to to host this app in www.mysite.com and customers will be able display this chat bot inside an iframe on their sites. Website owners that want to use my chat bot will have their accounts on my site.
First, I plan to get the domain which the chat bot will run from customers and bind it to their customer ids. When they open the iframe with something similar to www.mysite.com?customerId=12345 I will validate if the domain matches to the id on my side. It looks like the method being used by other chat bot apps (intercom, etc).
But I'm not sure what kind of authorization method I should use. My customers can have their own users. And each user can have their own chat bot. None of the users should be able to access to other users' bots. What could be the best way to use the authorization provided by my customer, securely?
Customers can handle part of the security issue by assigning chat bots to their users. And prevent users from seeing others' bots. But I cannot have a URL like this; www.mysite.com?customerId=12345&botId=321 because it would allow all users to access to that bot when its id is compromised.