OAuth 2.0 (Client Credentials Grant)
Configuring the Aisera platform
In this type of authorization, the software client will ask the user for their username and password (as opposed to being redirected to an IdP authorisation server to authenticate) and then send the username and password to the authorization server, along with the software client’s credentials. If the authentication is successful, then the client will be issued an access token from the server.
OAuthClientCredentials authentication includes the following fields:
Fields
Field Explanation
Client Id
A unique identifier assigned to the client application by the authorization server.
Client Secret
A confidential string used by the client to authenticate itself to the authorization server.
Access Token URL
The URL where the client exchanges the authorization code for an access token.
Scope
The scope is the scope of the integration and in what are the resources that will have access
Access Token Extraction Key
Which key should contain the access_token in the JSON object. By default is access_token but this can change.
Expires In Extraction Key
Which key should contain the expires_in value for the new access token in the JSON object. By default it is expires_in but this can change.
Http Operation *
What HTTP Operation is used for the authorization request. (DEFAULT is POST)
Headers
The custom headers in JSON format; e.g. {"apiKey": "api_key_value"}.
Use Raw Token
This checkbox needs to be enabled only when the prefix 'Bearer' needs not to be added in front of the token. After obtaining the authorization token, we must decide whether to include the 'Bearer' prefix before appending it to the request for the ingestion part. This is accomplished using this checkbox flag.
Grant Type
Grant types used in OAuth 2.0 and the 'client_credentials' can be replaced according to the authorization flow of the external system.
Use Jwt Token
This checkbox needs to be enabled only when we are going to use the JWT flow.
JWT Client Assertion Type
JWT Client Assertion Type is a method for authenticating OAuth 2.0 clients using JSON Web Tokens.
JWT Private Key
JWT Private Key is a cryptographic key used to sign JSON Web Tokens for authentication and authorization purposes.
JWT Headers
User is able to add JWT Header fields in json format
JWT Payload
User is able to add JWT Payload/Claims fields in json format
OAuth Client Credentials Support Additional Key/Value Pairs
The OAuth configuration accepts a json map, where you can give arbitrary values that need to be passed as body parameters (example: x-www-form-urlencoded).
The Aisera Gen AI platform already passes body parameters for client_id, client_secret, grant_type and optionally for scope. But now you also have the option to add arbitrary key-value pairs.
NOTE: if you put the pair (client_id, test) as Body Parameters, the “test” value will overwrite the config in the “client id” field of the configuration. The same thing applies to the client secret and scope.
Authorization Explanation
This is an industry standard authorization flow. The Client Credentials grant type is a method utilized by clients (applications or services) to acquire an access token without involving a specific user. Instead of authenticating on behalf of a user, the client itself presents its own credentials (client ID and client secret) to the authorization server and receives an access token, allowing it to access protected resources on the server's behalf. Connectors that use this authorization flow are Nexthink and Marketo. The Aisera platform uses JWT instead of oauth credentials in the same config.
Examples:
NexThink is an example of an application that uses OAuthClientCredentials authentication.
Note: Not all of the mentioned fields in the provided authorization flow are required to be filled. The necessary combination of fields may vary based on the specific requirements of the external system.
Configuring the external platform
When configuring the external system for OAuth 2.0 integration with the Aisera platform, the following redirect URLs need to be whitelisted:
To enable service account authorization for use with data sources and workflows, whitelist:
https://<cluster url>.login.aisera.cloud/?id=aisera.oauth.oauthCommand. Here, the cluster url will be "prod", "prod1", etc.To enable user authorization for use with workflows, whitelist:
https://<vanity url>.chatbot.aisera.cloud/oauth2/authorize
Last updated