Skip to main content

High Level Software Architecture: Authenticated Interactions with OAuth 2.0—How It Works

  • Chat

Updated ~ minute read

How it works

Sign-on flow: Web Code Flow

  1. A consumer logs into the authenticated area, and clicks on a chat invitation.

  2. The Live Assist Web SDK calls the configured webpage JavaScript method to supply an authorization code. The web app verifies that the consumer is logged in (otherwise it asks the user to log in according to the brand’s standards), and then issues an authorization code. The Authorization Code is supplied back to the Live Assist Web SDK using a callback method.

  3. The authorization code is passed to the Live Assist service by the embedded window while sending the chat request.

  4. The Live Assist service processes the chat request , and queries the brand’s Visitor Authentication Service with the authentication code that it just received. In response, the brand's Visitor Authentication Service validates the Authentication Code and sends an OpenID Connect token with all visitor attributes.

  5. When the OpenID Connect token is successfully received by the Live Assist service, the chat process starts.

Note:
     •  Visitor attributes can be added to the OpenID Connect token. Those visitor attributes are displayed to the agent in the Agent Workspace, next to a secure icon.
     •  Consumers who are not currently logged in, or whose login effort failed, are unable to start a conversation with the designated agent. Instead, they are redirected to the Offline survey.

Sign-on flow: Web Implicit Flow

Implicit Flow is very similar to Code Flow, but with the following differences:

  • Instead of generating an authorization code, the Brand Service generates an OpenID Connect token. This type of token contains the user information and is not just a reference. The user information is signed using the brand keys and can also be encrypted for Live Assist.

  • When the Live Assist Service receives this token, instead of validating it with the Brand Service, it verifies the signature and decrypts its content.

    Note: Consumers who are not currently logged in are unable to start a conversation with the designated agent. Instead, they are redirected to the Offline survey.

1a.png

2a.png

Sign-on flow: Mobile SDK Code Flow

  1. The brand’s mobile app initiates and sets up the Live Assist SDK.

  2. The Live Assist SDK starts an unauthenticated session by connecting to the Live Assist service.

  3. The SDK triggers a callback that requests the OAuth 2.0 code from the mobile app for authentication purposes.

  4. The app generates the OAuth 2.0 code. This process is usually completed using the authorization endpoint in the brand’s Authorization Server. The exact flow depends on the brand’s decisions.

  5. The SDK informs the Live Assist service that it can authenticate the session and attaches the OAuth 2.0 code.

  6. The Live Assist Service processes the chat request, and queries the brand’s Visitor Authentication Service with the Authentication Code it just received. In response, the brand's Visitor Authentication Service validates the Authentication Code and sends an OpenID Connect token with all visitor attributes.

  7. The brand’s Authorization Server responds with the token and JWT.

Important: In the current implementation of the SDK, the host app must provide the OAuth 2.0 code as a parameter when starting the conversation, and should not rely on step [3].

3a.png

Authentication Expiration Flow

Every JWT contains an expiration time. Upon JWT expiration, the customer side is asked to provide a refreshed JWT.

Related articles