Authenticating your google assistant chatbot user with SAP’s IAS

In different sectors, we are all witnessing a significant increase in the use and deployment of chatbots. Many are attempting to come up with ideas that will help to create a better experience for users. 

As per Gartner, “Artificial Intelligence (AI) will be a mainstream customer experience investment in the next couple of years”. 47% of organizations will use chatbots for customer care and 40% will deploy virtual assistants. 

[picture credit: Spiceworks]

There are a lot of solutions in the market which helps in building Chatbots or smart assistants.  SAP’s CAI and Google Assistant are few of the best in the market.  

We will see how we authenticate and authorize users using a chatbot (google assistant) and get user’s details and groups they belong user IAS tenant. This is very much crucial when we want to integrate chatbots as part of business process and validate users and their identity. 

Prerequisites:  

I hope you already have a google assistant agent created in dialog flow with authentication enabled and a webhook created where you are using “actions-on-google” package to check the user’s sign-in activity.  

• If not, here’s how to create an agent with authentication: https://cloud.google.com/dialogflow/es/docs 
• To create a webhook with authentication check here’s a link for help: https://actions-on-google.github.io/actions-on-google-nodejs/2.13.0/index.html  

Let’s see how to achieve this:   

STEP A: Create an Application in your IAS tenant. 

1. To create an application, you need to login to your IAS tenant. 
2. Click on applications under Applications & resources on the left tab.
   
3. At the bottom, click on Add and give your app a name: 
4. Open the created application and click on Type, select Open ID.
   
5. Click on subject name identifier, select email as identifier there. 
   
6.  Goto  Assertion attributes and add the group as part of it. This will add the group as part of the authentication token.
   
7. Click on open id configuration and provide a name. redirect URL. Ensure the redirect URL is in the correct format.
   
8. Go to Client ID and secret. Click on a new secret. Please make a note of client Id and the generated secret, this will be needed at a later step.
   
9. Now we need to obtain the OAuth token URL and authentication endpoint. For this, go to Tenant Settings, and select OpenID connect configuration from the right tab.
   
10. Copy the authorization endpoint and token endpoint from there.  

You have all the required Configuration from IAS tenant.  Let’s jump to Google assistant side.  

STEP B: Configure your google assistant. 

1. Open google actions console.  Go to Develop -> Account linking. 
   
2. Select Linking type as Oauth & google sign in, Authorization code. For further details read this: https://developers.google.com/assistant/identity/oauth2?oauth=code  
3. Provide the client id, secret, redirect URL and token URL in the next step. 
   
4. Go to google developers console, select your google assistant project and go to credentials.  
5. You can find a client id generated for your agent, click on edit. 
6. Go to redirect url and pass the following:  

   <your-ias-tenant>/ui/oauth/googleCallback

7. Save it and go to your google actions console.
8. Click on the test, change the device type to Phone.
   
9. Now trigger the agent.  
10. It will prompt the login screen. Provide your credentials and you are authenticated. 
    
    

To validate whether we are getting the token or not and what are the contents of token I logged the token from my webhook. Here’s how it looks:  

You can map the groups to a role collection or make it part of your business logic and make your chatbot more real.