A Control Room administrator can create OAuth connections for users to use these connections in the authentication action for packages without having to enter any authentication details.

The Salesforce mark and logo, the Microsoft SharePoint mark and logo, the Apigee mark and logo, ServiceNow mark and logo, and the Genesys mark and logo are trademarks or registered trademarks of Salesforce, Inc., Microsoft Corp., Google LLC, ServiceNow, Inc., and Genesys, respectively, and are used for identification purposes only.

For any external OAuth connections created in the Cloud Control Room instance, all external endpoints such as the authorization URL and token URL must be reachable from the Cloud Control Room through the network perimeter firewall rules. Configure your network firewall to include Automation Anywhere outbound IP addresses to the allowed list. See Control Room IP addresses for external integrations.

Prerequisites

  • If the Control Room servers are behind a proxy and external connections have to go through the proxy, then configure forward proxy settings as detailed in Configure forward proxy settings.
  • Ensure that you are using a user role that has the Manage connections permission enabled for the OAuth Connections feature. See Feature permissions for a role.
  • If you are adding more than one scope, ensure that you separate the scopes using commas.

    Example: api,refresh_token,offline_access

  • Ensure that you have configured an enterprise application and made a note of the Client ID, Client secret, Authorization URL, Token URL, and Scope. See Configure enterprise applications
    Note:
    • Consider the above prerequisites to avoid a connection error.
    • Although the following table lists the applications that are certified, you can configure your enterprise applications using the Manage > OAuth connections > Create connection by selecting Provider type as Custom.

Examples of key components of OAuth

Enterprise applications Authorization URL Token URL Scope
Genesys https://login.<yourinstance>.pure.cloud/oauth/authorize https://login.<yourinstance>.pure.cloud/oauth/token Not required
Google Apigee https://accounts.google.com/o/oauth2/auth?prompt=consent&access_type=offline https://accounts.google.com/o/oauth2/token https://www.googleapis.com/auth/cloud-platform
Google Workspace (Calendar, Drive, Gmail, Sheets) https://accounts.google.com/o/oauth2/auth?prompt=consent&access_type=offline https://oauth2.googleapis.com/token
Jira https://auth.atlassian.com/authorize https://auth.atlassian.com/oauth/token offline_access write:jira-work,read:jira-user,manage:jira-webhook,read:jira-work
Microsoft Entra (Microsoft 365, Office, Teams) https://login.microsoftonline.com/<tenant>/oauth2/v2.0/authorize https://login.microsoftonline.com/<tenant>/oauth2/v2.0/token offline_access,openid,https://graph.microsoft.com/.default. For granular scopes, see Scopes and permissions in the Microsoft identity platform
Microsoft Entra (SharePoint) https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token
  • For SharePoint actions based on SharePoint REST API, use https://<domain-name>/AllSites.Manage,offline_access,openid
  • For SharePoint web triggers and actions based on Microsoft Graph API, use https://graph.microsoft.com/.default,openid, offline_access.
For granular scopes, see Scopes and permissions in the Microsoft identity platform
Note:
  • Only when your apps require the sub claim in the ID token to identify the end-user, you must include the OpenID scope. Otherwise, this scope is optional.
  • The offline_access scope enables the authorization server to provide the user with a refresh token. This scope eliminates the need to re-authenticate the connection after a significant period of inactivity.
Salesforce https://<yourinstance>.salesforce.com/services/oauth2/authorize https://<yourinstance>.salesforce.com/services/oauth2/token api,refresh_token,offline_access
ServiceNow https://<yourinstance>.service-now.com/oauth_auth.do https://<yourinstance>.service-now.com/oauth_token.do Not required

Procedure

  1. In the Control Room, navigate to Manage > OAuth connections.
  2. Click Create connection.
  3. In the Connection settings screen that opens, select a Provider type.
    Note: The Callback URL is used in your enterprise application configuration settings to connect to the Control Room.
  4. Enter a unique Connection name to identify the connection.
  5. Optional: Enter a Description for the connection.
    Image displaying the OAuth connection settings page
  6. Click Next.
    The Authentication details screen appears.
  7. Select a Grant type. See OAuth authorization code flow and OAuth client credentials flow.
    Note:
    • If you are configuring for a Google Cloud Platform (GCP) account, select Authorization Code Flow because Control Room managed OAuth connection using Authorization code flow with PKCE is currently not supported.
    • If you are configuring SharePoint web triggers, select Client Credentials Flow.
  8. Enter the Client ID that is provided by the provider for your account.
  9. Enter the Client secret that is provided by the provider for your account.
    Note:
    • After testing or creating a connection, the Client secret field will not be displayed in the user interface, but the backend service will continue to use the stored value. This is expected behavior.
    • The Client secret field is masked while you enter the value, similar to a password field. This enhances security by preventing the secret from being visible in clear text.
  10. Enter the Authorization URL used to obtain an authorization code for your account.
    Note: For Apigee or Google Cloud Platform (GCP) account, you must append &access_type=offline to the authorization URL. For example: https://accounts.google.com/o/oauth2/v2/auth?prompt=consent&access_type=offline.
  11. Enter the Token URL used to exchange an authorization code for an access token.
  12. Optional: Enter Scope.

    The token expiration time can be set by the identity provider. If the token expires, the Bot uses the offline_access scope to get a new valid token when triggered, based on the details in the Control Room. See Configure OAuth connections in Control Room.

    Image displaying the OAuth authentication details page
    This information is used as claims (information about the user) in an access token and forwarded to the resource server to limit access.
    Note: We recommend that you add the offline_access scope, or appropriate refresh token scope, in the Control Room and when configuring your identity provider so that the access token can be automatically refreshed. Otherwise, you will have to manually refresh the token in the Control Room. See Authenticate user-specific OAuth connections.
  13. Click Next.
    The Test connection and save credentials screen appears.
  14. Optional: Select the Save login credentials.
    Note: Use this option only when you want to generate a shared token that allows users to use this connection without providing user authentication and consent. When you select this option, you must select the Shared token type option when using this connection. See OAuth tokens.
  15. Optional: Click Save changes and test connection.
    Image displaying the OAuth test connection and save credentials page
    Note: After you click the Save changes and test connection option and if the connection is successful, the Next button is disabled. Click the Back button, enter the Client secret again, and then click Next. You need not test the connection again unless you have made any changes to the previously provided authentication details.
  16. Click Next.
    The Invite roles screen appears.
  17. Select the roles that you want to invite to use this connection. Only invited roles can use the token in a bot, whether it is private or shared.Image displaying the OAuth invite roles page

    Invite roles action is mandatory if a Bot uses the OAuth connection. This action is optional if an external service will use the OAuth connection.

    Note: Only custom roles are displayed in the list of Available roles.
  18. Click Create connection. An OAuth connection is created.

The following video shows how to create an OAuth connection:

Next steps

Use OAuth connection