Oracle Cloud Infrastructure Documentation

Backend Authentication

If you are building a skill for a Microsoft Teams user channel, a skill that accesses a Google or Outlook calendar, or a skill that's invoked by an application-initiated conversation that uses an authenticated user ID to identify the mobile user, then you need to set up an authentication service to enable interaction between Digital Assistant and the identity provider. You also need to set up an authentication service if your skill uses a System.OAuth2Client, System.OAuth2AccountLink, or System.OAuth2ResetTokens built-in component.

If you have a Digital Assistant instance that is paired with a subscription to a Fusion-based Oracle Cloud Applications service, such as Oracle Sales or Oracle Fusion Cloud Human Capital Management, then you don't have to do anything to configure backend authentication for the provided skills. This has been taken care of for you.

Built-In Security Components

Oracle Digital Assistant provides the following security components:

  • System.OAuth2Client: Obtains an OAuth2 access token of grant type Client Credentials that a custom component can use to access client resources that are secured by Oracle Identity Cloud Service or Oracle Access Manager (OAM).

    Before you use this component in a skill, register an application as described in Identity Provider Registration, and then ask your administrator to add a service for the client as described in Authentication Services. If you have a Digital Assistant instance that is paired with a subscription to a Fusion-based Oracle Cloud Applications service, such as Oracle Sales Cloud or Oracle Human Capital Management Cloud, then your IDCS instance already has a registered application and an authentication service has already been created.

  • System.OAuth2AccountLink: Obtains an OAuth2 access token of grant type Authorization Code that a custom component can use to access resources that are secured by one of these identity providers:

    • Oracle Identity Cloud Service

    • Oracle Access Manager (OAM)

    • Microsoft identity platform

    • Google Identity Platform

    Another use for this component is to authenticate users for application-enabled conversations that identify mobile users by their user names, as described in Create a Channel for the External App.

    Before you use this component in a skill, register an application as described in Identity Provider Registration, and then ask your administrator to add a service for the client as described in Authentication Services. If you have a Digital Assistant instance that is paired with a subscription to a Fusion-based Oracle Cloud Applications service, such as Oracle Sales Cloud or Oracle Human Capital Management Cloud, then your IDCS instance already has a registered application and an authentication service has already been created.

  • System.OAuth2ResetTokens: Revokes all the logged-in user's refresh and access tokens from a specified authentication service. This is for dialog flows that use the System.OAuth2AccountLink component.

    Note that you can't use this component with the Microsoft identity platform because it doesn't support the revoking of access tokens through REST calls, only through the command line interface.

  • System.OAuthAccountLink: Obtains the authorization code for identity providers that support the OAuth2 protocol. The custom component must exchange this code for an access token. This component doesn't use an authentication service.

Identity Provider Registration

An administrator must register an application (also referred to as an OAuth client) with the identity provider (IDP) before you can use OAuth2Client, OAuth2AccountLink, or OAuthAccountLink component in a skill.

Register an Application with IDCS or OAM

Before you can use an OAuth2Client, OAuth2AccountLink, or OAuthAccountLink component in a skill, an administrator must register a confidential application (also referred to as an OAuth client) with IDCS or OAM.

Note

If you have a Digital Assistant instance that is paired with a subscription to a Fusion-based Oracle Cloud Applications service, such as Oracle Sales Cloud or Oracle Human Capital Management Cloud, then your IDCS instance already has a registered application named IDCS_OAuthForFA.

To learn how to register an application with IDCS, see Add a Confidential Application in Administering Oracle Identity Cloud Service. Information about registering an application with OAM can be found at Configuring OAuth Services in Administering Oracle Access Management.

When you register an application (client) with IDCS or OAM, you'll need to provide this information:

  • Allowed Grant Types: The application must use either the Authorization Code grant type or the Client Credentials grant type.

  • Scopes or Roles: Include the resources that your custom components need to access. If you include the refresh token grant type, then you also need to add the corresponding scope, which is offline_access for IDCS.

  • Redirect or Callback URL: You'll need to provide the URL that the IDP uses to send back the authorization code. Some identity providers refer to this as the redirect URL or the callback URI. To figure out what to use for the redirect URL, go to the Channels page and open any Facebook or Webhook channel (if you don't have any, create a fictitious one). You use the domain and port from the channel's Webhook URL (e.g., https://<domain>:<port>/connectors/v2/tenants/<tenantId>/listeners/facebook/channels/<channelId>) to create the redirect URL, which must be in the format https://<domain>:<port>/connectors/v2/callback. For example https://example.com:443/connectors/v2/callback.

    If your instance is provisioned on Oracle Cloud Platform (as all version 19.4.1 instances are), use v1 instead of v2.

If you are using OAuth2Client or OAuth2AccountLink for authenticating with the IDP, then, after you create the application (OAuth client), note the client credentials, IDP token, and authorization URL. You'll need this information when you create an authentication service as described in Authentication Services.

Register an Application with Microsoft Identity Platform

To register an application with Microsoft identity platform, follow Microsoft's instructions at Quickstart: Register an application with the Microsoft identity platform.

Set the app type to Web.

You'll need to provide the URL that the platform uses to send back the authorization code. To figure out what to use for the URL, go to the Digital Assistant's Channels page and open any Facebook or Webhook channel (if you don't have any, create a fictitious one). You use the domain and port from the channel's Webhook URL (e.g., https://<domain>:<port>/connectors/v2/tenants/<tenantId>/listeners/facebook/channels/<channelId>) to create the redirect URL, which must be in the format https://<domain>:<port>/connectors/v2/callback. For example https://example.com:443/connectors/v2/callback.

After you register the application, you need to create a client secret as described in the Microsoft topic Create a new application secret. You'll use this secret when you create an authentication service for the application.

Register an Application with Google OAuth2 Authorization

To register an application with Google OAuth2, you create a project and enable the necessary APIs as shown in the Google topic Enable APIs for your project. If you plan to use the calendar components, ensure that you enable both the Google Calendar API and the CalDAV API.

Next, get the application's client ID and secret as described in the Google topic Create authorization credentials.

On the OAuth consent screen, specify the scopes that your app will need permission to access. See the Google topic Identify access scopes for more information.

Authentication Services

To use the System.OAuth2Client and System.OAuth2AccountLink security components, your administrator must first add a service for the IDP on the Authentication Services page. You can create services for Authorization Code and Client Credential grant types. Authentication Services supports IDCS and OAM R2PS3 identity providers.

Note

If you have a Digital Assistant instance that is paired with a subscription to a Fusion-based Oracle Cloud Applications service, such as Oracle Sales Cloud or Oracle Human Capital Management Cloud, then an authentication service has already been created for the IDCS instance that's associated with your Digital Assistant instance.

Before you create a service, you'll need to ask your IDP administrator to give you the information that you need to add a service.

Add an Authorization Code Service

Here's how to create an authentication service for grant type Authorization Code for IDCS, OAM, Microsoft Identity Platform, and Google Identity Platform. This grant type authenticates on user name and password.

  1. Open the side menu and click Settings > Authentication Services.
  2. Click + Service.
  3. Select the Authorization Code grant type.
  4. Enter these values:

    • Identity Provider: Which type of identity provider (IDP) you are using.

    • Name: A name to identify the authentication service.

    • Token Endpoint URL: The IDP's URL for requesting access tokens.

      • IDCS: Use https://<IDCS-Service-Instance>.identity.oraclecloud.com/oauth2/v1/token.

      • OAM: Use http://<Managed-Server-Host>:<Managed-Server-Port>/oauth2/rest/token.

      • Microsoft Identity Platform: Use https://login.microsoftonline.com/<Azure-Active-Directory-TenantID>/oauth2/v2.0/token.

      • Google Identity Platform: Use https://www.googleapis.com/oauth2/v4/token.

    • Authorization Endpoint: The IDP's URL for the page that users authenticate with by entering their user name and password.

      • IDCS: Use https://<IDCS-Service-Instance>.identity.oraclecloud.com/oauth2/v1/authorize.

      • OAM: Use http://<host>:<port>/oauth2/rest/authz.

      • Microsoft Identity Platform: Use https://login.microsoftonline.com/<Azure-Active-Directory-TenantID>/oauth2/v2.0/authorize.

      • Google Identity Platform: Use https://accounts.google.com/o/oauth2/v2/auth.

    • Short Authorization Code Request URL: (Optional) A shortened version of the authorization URL, which you can get from a URL shortener service (one that allows you to send query parameters) . You might need this because the generated authorization-code-request URL could be too long for SMS and older smart phones.

      By default, the authorization code request URLs for each platform are:

      • IDCS and OAM:

        {Authorization Endpoint URL}?client_id={clientId}&response_type=code&scope={scope}&redirect_uri={redirectUri}&state={state}

      • Microsoft Identity Platform:

        {Authorization Endpoint URL}?client_id={clientId}&response_type=code&scope={scope}&redirect_uri={redirectUri}&response_mode=query&state={state}

      • Google Identity Platform:

        {Authorization Endpoint URL}?client_id={clientId}&response_type=code&scope={scope}&redirect_uri={redirectUri}&access_type=offline&prompt=consent&state={state}

      Here's an example of the URL displayed in a text message:

      Description of long-url.png follows

      For example, you can get a shortened version of this URL:

      {Authorization Endpoint
      URL}?client_id={clientId}&response_type=code&scope={scope}&redirect_uri={redirectUri}&state={state}

      Using the Short Authorization Code Request URL, Oracle Digital Assistant builds the authorization code request URL like this: 

      {Short Authorization Code Request URL}?state={state}

    • Revoke Token Endpoint URL: (Optional) If you want to revoke all the refresh tokens and access tokens of the logged-in user from a dialog flow, then you need the IDP's revoke refresh token URL. If you provide this URL, then you can use the System.OAuth2ResetTokens component to revoke the user's tokens for this service.

      • IDCS: Use https://<IDCS-Service-Instance>.identity.oraclecloud.com/oauth2/v1/revoke.

      • OAM: Use https://<host>:<port>/ms_oauth/oauth2/endpoints/<OAuth-Service-Name>/tokens.

      • Microsoft Identity Platform: Not supported.

      • Google Identity Platform: Use https://oauth2.googleapis.com/revoke.

    • Client ID and Client Secret: The client ID and secret for the IDP application (OAuth Client) that was registered as described in Identity Provider Registration. With Microsoft identity platform, use the application ID and secret.

    • Scopes: A space-separated list of the scopes that must be included when Digital Assistant requests an access token from the provider. Include all the scopes that are required to access the resources. If refresh tokens are enabled, include the scope that’s necessary to get the refresh token (typically offline_access).

      • IDCS: Use the urn:opc:idm:__myscopes__ scope when you need to obtain an access token that contains all of the allowed scopes. Use the urn:opc:idm:role.<roll-name> scope (for example, urn:opc:idm:role.User%20Administrator) when you need to obtain an access token that contains the applicable scopes of a given role.

      • Microsoft Identity Platform: You must include openid email profile offline_access. If you plan to use calendar components, you must include https://graph.microsoft.com/Calendars.ReadWrite. For other permissions, use the format https://graph.microsoft.com/<permission>. Replace <permission> with a valid permission name from the Microsoft Graph permissions reference.

      • Google Identity Platform: You must include https://www.googleapis.com/auth/userinfo.email, which is used to obtain the user’s login ID. If you plan to use calendar components, you must include https://www.googleapis.com/auth/calendar. For other scopes, see OAuth 2.0 Scopes for Google APIs.

    • Subject Claim: The access-token profile claim to use to identify the user.

      • IDCS and OAM: This is typically the sub (subject) claim. However, if the sub claim contains an internal user ID, that's not helpful for Digital Assistant. In these cases, specify a profile claim that can help Digital Assistant identify the user, such as email or name.

      • Microsoft Identity Platform: Use preferred_username.

      • Google Identity Platform: Use email.

    • Refresh Token Retention Period: The number of days to keep the refresh token in the Digital Assistant cache. If you leave this blank, it defaults to 7.
    Description of auth-service-ac.png follows
  5. Click Create.

Tip:

For IDCS, when a user signs in through the System.OAuth2AccountLink component, you can automatically store the IDCS user's profile information for the duration of a session. See Store IDCS User Profile for the Duration of the Session. This feature works only with instances of Oracle Digital Assistant that were provisioned on Oracle Cloud Infrastructure (sometimes referred to as the Generation 2 cloud infrastructure).

Add a Client Credentials Service

Here's how to create an authentication service for grant type Credentials for IDCS and OAM. This grant type authenticates on client ID and client secret.

  1. Open the side menu and click Settings > Authentication Services.
  2. Click + Service.
  3. Select the Client Credentials grant type.
  4. Enter these values:

    • Identity Provider: Which type of identity provider (IDP) you are using.

    • Name: A name to identify the authentication service.

    • Token Endpoint URL: The IDP's URL for requesting access tokens.

    • Client ID and Client Secret: The client ID and secret for the IDP application (OAuth Client) that was registered as described in Identity Provider Registration.

    • Scopes: The scopes that must be included when Digital Assistant requests an access token from the provider. Include all the scopes that are required to access the resources.


    Description of auth-service-cc.png follows

  5. Click Create.