Configure OAuth connections in Control Room
- Updated: 2024/12/10
Configure OAuth connections in Control Room
OAuth is a secure, efficient, and easy-to-use open standard authorization protocol that helps you protect user privacy. It defines how to delegate or provide authorization to applications to access resources (such as remote or third-party APIs, or user data) without the user having to provide their username and password credentials. Currently, this configuration is only required if you are completing the PixieBrix connection setup.
For more information, see OAuth 2.0.
OAuth supports a set of predefined methods called grant types. Each grant type has specific requirements and flow depending on the scenario. Control Room OAuth connections support the following grant types:
- Authorization Code Flow
- Authorization Code Flow with Proof Key for Code Exchange (PKCE)
- Client Credentials Flow
OAuth architecture
With OAuth connections managed in the Control Room, you can manage connections and token lifecycle centrally through the Control Room. Additionally, you can securely store the tokens required to authenticate and authorize access to enterprise applications without having to obtain them at every automation run-time. The OAuth connections that are configured in the Control Room are outbound towards the corresponding enterprise applications for authentication purposes.
- Create and manage connections for every SaaS application used within automations.
- Manage token lifecycle for shared and user-specific tokens.
- Secure token storage by using industry standard encryption levels.
- Grant permissions and role-based access to manage and consume the OAuth connections within automations.
OAuth workflow example: The following example describes how to configure, create, and use the OAuth connection:
- Create a connection for an enterprise SaaS application.
- Enter the authentication details such as: client ID, client secret, authorization URL, and so on.
- (Optional) Save the login credentials and test the connection.
- Invite roles to use this connection or authenticate for unattended Bot Runners.
- Save and manage the connection.
See: Create OAuth connection.
- Create an API Task or Task Bot.
- Add authentication action for packages.
- Select the authentication type (Control room OAuth connection), connection name, and enterprise application information.
See: Use OAuth connection.
OAuth tokens
OAuth provides the following token types:
- Access token
- A long string of characters that serves as the credential used to access protected resources.
- Refresh token
- A long-lived special token used to obtain a new access token when the existing access token expires. The refresh token provides a short-lived access token instead of collecting credentials from the user every time a new access token is required. The Control Room uses the refresh token to get a new access token from the authorization server (AS).
When using OAuth, the access token and refresh token are returned in the same response during the token exchange process called Access Token Response.
OAuth tokens in Control Room
- Shared: The shared token type is typically used to
run unattended automations where user authentication or consent is not
required. To configure and use this token type in the Control Room, you must configure the following options:
- In the Manage connections permission can create OAuth connections. Such a user must select the Save login credentials option in the Test connection and save credentials screen when creating a connection so that a shared token is generated. See Create OAuth connection. section, a user with the
- When a user is using this connection in their bots, the user must select the Shared token type in the Pick a connection option. See Use OAuth connection.
- User-specific: The user-specific token type is
typically used to run attended automations where user authentication or
consent is required. To configure and use this token type in the Control Room, you must configure the following options:
- In the Manage
connections permission can create OAuth connections. Such a user must not select the
Save login credentials option in the
Test connection and save credentials
screen. Instead, the user must invite roles to use the connection by
selecting the appropriate roles in the Invite
roles screen. See Create OAuth connection.
Users who are part of the roles get notified about the assigned connection if they have subscribed to event notifications. See Notifications.
section, a user with the - The user who is using the User-specific connection in their bots must authenticate the connection in the section before using the connection. See Authenticate user-specific OAuth connections.
- When the user is using this connection in their bots, the user must select the User-specific token type in the Pick a connection option. See Use OAuth connection.
- In the Manage
connections permission can create OAuth connections. Such a user must not select the
Save login credentials option in the
Test connection and save credentials
screen. Instead, the user must invite roles to use the connection by
selecting the appropriate roles in the Invite
roles screen. See Create OAuth connection.
Benefits of integrating OAuth with Control Room
When you integrate OAuth with the Control Room, you:
- Provide a secure and standard model for automations to authenticate and authorize enterprise applications.
- Eliminate the need to manually enter the credentials at runtime or hard code the credentials in automations.
- Ensure that the access tokens are always valid and available for automations at runtime by obtaining them before they expire; therefore, eliminating the need for users to go through the authentication process to obtain them.
- Avoid repetitive task of configuring the OAuth parameters for every automation using the OAuth connection. The connections are referenced in automations using the enterprise application provider type.
Token lifecycle management
All access tokens have an expiration time dictated by the authorization server (AS). Tokens are refreshed using the token refresh mechanism to extend the token validity (by issuing a new token). With a centralized approach, the Control Room manages the token lifecycle and validates each token before a bot execution.