Create OAuth connection

A Control Room administrator can create OAuth connections for users to use these connections in the authentication action for packages without having to enter any authentication details.

Note: The Salesforce mark and logo, the Microsoft SharePoint mark and logo, the Apigee mark and logo, ServiceNow mark and logo, and the Genesys mark and logo are trademarks or registered trademarks of Salesforce, Inc., Microsoft Corp., Google LLC, ServiceNow, Inc., and Genesys, respectively, and are used for identification purposes only.

Prerequisites

  • Ensure that you are using a user role that has the Manage connections option enabled for the OAUTH CONNECTIONS feature. See Feature permissions for a role.
  • Ensure that you have configured an enterprise application and made a note of the Client ID, Client secret, Authorization URL, Token URL, and scope. See Configure enterprise applications.

    The following table provides the format of the Authorization URL, Token URL, and scope for the supported enterprise applications:

    Enterprise applications Authorization URL Token URL Scope
    Apigee https://accounts.google.com/o/oauth2/auth?prompt=consent&access_type=offline https://accounts.google.com/o/oauth2/token https://www.googleapis.com/auth/cloud-platform
    Genesys https://login.<yourinstance>.pure.cloud/oauth/authorize https://login.<yourinstance>.pure.cloud/oauth/token Not required
    Salesforce https://<yourinstance>.salesforce.com/services/oauth2/authorize https://<yourinstance>.salesforce.com/services/oauth2/token api,refresh_token,offline_access
    ServiceNow https://<yourinstance>.service-now.com/oauth_auth.do https://<yourinstance>.service-now.com/oauth_token.do Not required
    SharePoint https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token https://<domain-name>/AllSites.Manage, offline_access, openid
    Note: The OpenID scope is required only when your apps require the sub claim in the ID token to identify the end-user. Otherwise, this scope is optional.
    Google packages (Calendar, Drive and Sheets) https://accounts.google.com/o/oauth2/auth?prompt=consent&access_type=offline https://oauth2.googleapis.com/token
    • Google Sheets https://www.googleapis.com/auth/drive, https://www.googleapis.com/auth/spreadsheets
    • Google Drive https://www.googleapis.com/auth/drive
    • Google Calendar https://www.googleapis.com/auth/calendar
Note: We recommend that you use refresh tokens that are configured for a longer expiry duration.

To create a connection:

Procedure

  1. Navigate to Manage > OAuth connections.
  2. Click Create connection.
    The Connection settings screen appears.
  3. Select a Provider type.
    Note: The Callback URL is used in your enterprise application configuration settings to connect to the Control Room.
  4. Enter a unique Connection name to identify the connection.
  5. Optional: Enter a Description for the connection.
    Image displaying the OAuth connection settings page
  6. Click Next.
    The Authentication details screen appears.
  7. Select a Grant type.
    If you are configuring for a Google Cloud Platform (GCP) account, select Authorization Code Flow because Google Cloud Platform (GCP) does not support Authorization code flow with PKCE.
  8. Enter the Client ID that is provided by the provider for your account.
  9. Enter the Client secret that is provided by the provider for your account.
  10. Enter the Authorization URL used to obtain an authorization code for your account.
    Note: For Apigee or Google Cloud Platform (GCP) account, you must append &access_type=offline to the authorization URL. For example: https://accounts.google.com/o/oauth2/v2/auth?prompt=consent&access_type=offline.
  11. Enter the Token URL used to exchange an authorization code for an access token.
  12. Optional: Enter Scope.
    Image displaying the OAuth authentication details page
    This information is used as claims (information about the user) in an access token and forwarded to the resource server to limit access.
    Note: If you are adding more than one scope, ensure that you separate the scopes using commas or space separated delimiter.
  13. Click Next.
    The Test connection and save credentials screen appears.
  14. Optional: Select the Save login credentials.
    Note: Use this option only when you want to generate a shared token that allows users to use this connection without providing user authentication and consent. When you select this option, you must select the Shared token type option when using this connection. See OAuth tokens.
  15. Optional: Click Save changes and test connection.
    Image displaying the OAuth test connection and save credentials page
    Note: After you click the Save changes and test connection option and if the connection is successful, the Next button is disabled. Click the Back button, enter the Client secret again, and then click Next. You need not test the connection again unless you have made any changes to the previously provided authentication details.
  16. Click Next.
    The Invite roles screen appears.
  17. Optional: Select the roles that you want to invite to use this connection.
    Image displaying the OAuth invite roles page
    Note: Only custom roles are displayed in the list of Available roles.
    Use this option only when you want users to provide user authentication or consent when using this connection. When a user is using this connection in their bots, the user must select the User-specific token type option for the connection. See OAuth tokens.

    When you invite roles to use the OAuth connection, users who are part of the roles get notified about the assigned connection if they have subscribed to event notifications. See Notifications.

    Note: Only the users who are part of the invited roles will be able to use the connection. Other Control Room users will be able to view the connection in the Pick a connection window but will not be able to use the connection.
  18. Click Create connection.

The following video shows how to create an OAuth connection:

Next steps

Use OAuth connection