Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Use OAuth-based Authentication for SAP Conversational AI chatbots

harinder_singh_batra
Advisor
Advisor
‎12-02-2020 7:04 PM
Hi SAP Community,
 

I'm Harinder, and I'm working as a Product Owner at the SAP Conversational AI team. Before going through the detail on how to use OAuth-based Authentication for SAP Conversational AI chatbots, let's clarify what OAuth is:
 

What is OAuth?


According to the OAuth website, OAuth is the industry-standard protocol for authorization. OAuth focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices.
SAP Conversational AI provides public APIs that can be consumed by bot developers to:

  • Configure their bots with design time APIs

  • Interact with their bots with run time APIs using a middleware


With the introduction of OAuth for SAP Conversational AI chatbots in October 2020, bot developers have an option to authenticate the API calls made by their middleware or clients to bots created before February 2021 release of SAP Conversational AI using one of the following methods:

  • OAuth tokens (recommended method)

  • Bot (developer / request) tokens


 

Note: As of May 2023 release, API calls to all the bots (including the ones created before February 2021) will require OAuth tokens to be passed along with the bot tokens. 

 

Depending on the token chosen, you are allowed to make different requests:

  • With your request token (version/environment), you can make requests in the RUNTIME API, to analyze text or start a conversation. When you create a new bot, by default, your bot has only one main version v1 and is assigned to the “DEVELOPMENT” environment. You will have one request token for each version and for each environment of your bot.

  • With your developer token, you can make requests on every endpoint our API provides.


In this tutorial, we will walk you through the steps for calling SAP Conversational AI APIs using OAuth tokens:

Option 1: Generating OAuth token using Client Credentials



  • Step 1: Generate OAuth client for design time/run time APIs

  • Step 2: Generate OAuth token using Client Credentials

  • Step 3: Call SAP Conversational AI APIs using OAuth token


Option 2: Generate OAuth Token using Client Certificate



  • Step 1: Generate OAuth client for design time/run time APIs

  • Step 2: Generate OAuth token using Client Certificate

  • Step 3: Call SAP Conversational AI APIs using OAuth token


Why you should use oAuth-based Authentication for SAP Conversational AI chatbots instead of using Bot tokens


The following table shows the differences between OAuth and Bot tokens and the advantages of using OAuth tokens:





























OAuth token Developer / Request token
Token automatically expires after twelve hours and needs to be regenerated every twelve hours Token once generated remains the same throughout the lifetime of a bot and regeneration of the token has to be triggered manually
More secure Less secure
Need to regenerate new token every 12 hours Must update token in middleware every time a new token is generated
No need to update credentials in the middleware every time a new token is generated Need to update token in middleware every time regeneration happens
Certificate based token generation is useful for server to server communication No certificate-based token generation possible


Difference between APIs and authentication


SAP Conversational AI provides two types of APIs:

















Design-time Run-time
APIs used to configure the bot (e.g. /entities, /intents, /dataset...) APIs used to interact with the bot (e.g. /dialog or /request...)
Works with developer token of the bot Works with request, version or environment token of the bot

How to use OAuth-based Authentication for SAP Conversational AI chatbots


You can either follow the steps in the video or described below:

Option 1: Generating OAuth token using Client Credentials


Step 1: Generate OAuth client for design time/run time APIs


Go to your Bot Settings and click Tokens.



 

Click the Generate button under the Run time APIs or Design time APIs.


 

Choose Client Credentials and click Next.


 

Once the client is generated, the following fields are displayed:





















Field Usage for Token Generation
Auth URL URL to be used for generation of OAuth token
Client ID Identifier of the OAuth client, to be passed in client_id field in request body
Client Secret Secret for OAuth Client to be passed in client_secret field in request body



Step 2: Generate OAuth token using Client Credentials


curl -X POST <Auth_URL> -d ‘grant_type=client_credentials&client_id=<client_id>&client_secret=<client_secret>’


Note: OAuth tokens expire after twelve hours. The value for expires_in field indicates the time (in seconds).

Step 3: Call SAP Conversational AI APIs using OAuth token


Design time APIs
Headers:

  • Authorization: Bearer <Designtime_OAuth_Token>

  • X-Token: Token <Developer_Token>


Run time APIs
Headers:

  • Authorization: Bearer <Runtime_OAuth_Token>

  • X-Token: Token <Request_Token>





Option 2: Generating OAuth token using Client Certificate


Step 1: Generate OAuth client for design time/run time APIs


Go to your Bot Settings and click Tokens.


 

Click the Generate button under the Run time APIs or Design time APIs.


 

Choose Client Certificate and click Next.


 

Paste the certificate code in the text box and click Generate.


 

Once the client is generated, the following fields are displayed:

















Field Usage for Token Generation
Auth URL URL to generate OAuth token
Client ID Identifier of the OAuth client to be passed in client_id field in request body


Step 2: Generate OAuth Token using Client Certificate


curl –cert cert.pem –key key.pem -X POST <Auth_URL> -d ‘grant_type=client_x509&client_id=<client_id>’

Here cert.pem is the public key certificate and key.pem is the private key of the certificate.


Note: OAuth tokens expire after twelve hours. The value for expires_in field indicates the time (in seconds).

Step 3: Call SAP Conversational AI APIs using OAuth Token


To call an API, you need to paste the token in the Headers of the API call.

Design time APIs
Headers:

  • Authorization: Bearer <Designtime_OAuth_Token>

  • X-Token: Token <Developer_Token>


Run time APIs
Headers:

  • Authorization: Bearer <Runtime_OAuth_Token>

  • X-Token: Token <Request_Token>



 

Note: If you don’t need the OAuth token anymore, it is recommended that you delete the token to avoid any security issues.

Congrats, you know how to generate OAuth tokens using Client Credentials and Client Certificate, allowing you to integrate various middleware with your chatbots to interact in a secure and robust manner.


Labels:
36 Comments
Labels in this area
Popular Blog Posts