Categories:
User authentication
Basic flows for users authentication in Aura
Non-integrated channels
For this kind of channels, the users always start as authenticated. The channel is responsible for authenticating the user in the OB and Kernel and for generating the auraId needed to prepare a valid request to Aura.
Further information about non-integrated channels can be found in Channels Authentication: non-integrated authentication.
This diagram must be executed just before sending messages to Aura for authenticated users.
⚠️ The request from Channel to IDP is not fully explained in the diagram. Follow Kernel documentation for a deep dive on how it works.
@startuml
title: Users authentication flow for non-integrated channels
participant Channel #bdf492
participant AuthenticationApi #FFFF99
participant IdP #99FFFF
participant KernelAuthServer #99FFFF
participant KernelAuraServicesApi #99FFFF
Channel -> IdP: POST /authorize
IdP -> Channel: 200 OK {UserAuthenticationContext}
Channel -> KernelAuthServer: POST /token
Note over Channel,KernelAuthServer: Here a 3-legged accessToken is requested
KernelAuthServer -> Channel: {token}
Channel -> KernelAuraServicesApi: GET /users/aura-id
KernelAuraServicesApi -> AuthenticationApi: GET /aura-services/v1/users/aura-id
AuthenticationApi -> KernelAuraServicesApi: 200 OK {AuraUser}
KernelAuraServicesApi -> Channel: 200 OK {AuraUser}
Note over KernelAuraServicesApi,Channel: AuraUser contains the auraId needed to fulfil the requests to Aura.
@enduml
Integrated or federated channels
For this kind of channels, the users always start as anonymous and they can consume some generic questions use cases, those that do not need knowing who the user is to be resolved, such as FAQs or small talk use cases.
Once the user requests one use case that needs knowing her identity, then the authentication flow is launched by a dialog available in aura-bot. The auraId, in this case, is decided by the channel. Usually, its own user identifier is used. For instance, in the case of WhatsApp or Facebook, their own users identifier are received and used as auraId.
Further information about integrated channels can be found in Channels Authentication: integrated authentication.
This diagram substitutes the Specific functional Dialog step in the diagram New Direct Line message from anonymous user, assuming that the user has requested an authenticated use case. Not all the steps of this diagram have been included again in the sake of clarity of the diagram.
User authentication by redirection
Find further details about how this mechanism works in Kernel here.
@startuml
title: Users authentication flow for integrated channels with URL redirection
participant AuthenticationApi #FFFF99
participant AuraGroot #76bbe7
participant AuraBot #41a0f9
participant AuraBridge #1add4d
participant IdP #99FFFF
participant KernelAuthServer #99FFFF
participant KernelUserProfileApi #99FFFF
AuraBot -> AuraBot: Executing a user message that raises a dialog that needs authentication
AuraBot -> AuraBot: Main Dialog
AuraBot -> AuraBot: ValidateAuthenticationForDialog
AuraBot -> AuraBot: AuthenticationDialog
AuraBot -> IdP: OPEN in webserver /authorize?state&redirectUri
Note over AuraBot,IdP: At this moment, a web page with the login form is open
IdP -> KernelAuthServer: Authentication status
Note over KernelAuthServer,AuthenticationApi: In Aura, the redirectUri points to our AuthenticationApi
KernelAuthServer -> AuthenticationApi: POST /aura-services/v1/users/auraid/integrated?code&state
AuthenticationApi -> AuthenticationApi: validate(state)
AuthenticationApi -> KernelAuthServer: POST /token {code}
KernelAuthServer -> AuthenticationApi: 200 OK {token}
AuthenticationApi -> KernelAuthServer: POST /introspect {token}
KernelAuthServer -> AuthenticationApi: 200 OK {plainToken}
AuthenticationApi -> AuthenticationApi: store(AuraUser)
AuthenticationApi -> KernelAuthServer: 200 OK
AuthenticationApi -> AuraBridge: sendAsyncCallback(AuraUser)
AuraBridge -> AuraGroot: Send {UserCreatedActivity}
AuraBridge -> AuthenticationApi: 200 OK
AuraGroot -> AuraGroot: Middlewares
AuraGroot -> AuraGroot: Recognizers (GetSkillByChannel)
AuraGroot -> AuraBot: Send {UserCreatedActivity}
AuraBot -> AuraGroot: 200 OK
AuraBot -> AuraBot: Middlewares
Note right of AuraBot: KPI entities are stored during Middlewares execution in local memory.\nEvery 2 minutes and before closing a POD, they are written in Azure Storage.
AuraBot -> AuraBot: Recognizers
AuraBot -> AuraBot: Main Dialog
AuraBot -> AuraBot: ValidateAuthenticationForDialog
AuraBot -> AuraBot: Execute Specific functional Dialog
AuraBot -> AuraGroot: Send {responseActivity}
AuraGroot -> AuraBot: 200 OK
User authentication using WhatsApp
Access these documents for further detail: