OAuth is an industry standard mechanism Medallia Experience Cloud uses to authorize limited access to its services and data. OAuth allows users, applications, and systems to grant access to resources without sharing personal authentication credentials like passwords. Instead, the parties share a secure token that identifies what the user or application may access.

Analogy: This real-world scenario helps explain OAuth and that relates it to terms used throughout this discussion. When a you (a client) check in to a hotel (resource server), the agent at the check-in counter asks for some identification, such as a driver's license or passport, to authenticate who you are (similar to SSO with SAML). The agent (authorization server) then hands you a key card (OAuth token) that gives you access to your room, the gym, the pool, parking, and limited access to other amenities (resources), but not the entire hotel. Further, the key card is only usable for for the duration of your stay.

The discussion below explains how authorization compliments authentication, and how Medallia Experience Cloud uses OAuth to grant access to applications requesting Medallia resources.

Authentication and authorization

Authorization is a process that compliments authentication. Authentication identifies who a user or application is. In Experience Cloud, user authentication happens via Single sign-on (SSO) or with a username and password (applications can authenticate with a "secret code" string provided by Medallia). Authorization determines what content and services a user or application may access. Authorization happens in combination with capabilities and permissions, which in turn can be identified with OAuth.

Authentication verifies identity (who); authorization gives permission (what)

When a user accesses Experience Cloud, their account and role identify what they can access. Applications working on behalf of a user needs the same or similar restrictions as the user, but without sharing the user's credentials. OAuth solves this problem.

OAuth and Experience Cloud

Medallia Experience Cloud uses OAuth to grant limited access to applications — and users using applications — to access Medallia Experience Cloud resources.

OAuth defines four roles:

Resource owner
An entity capable of granting access to a protected resource. The owner can be a person (an end-user) or an service (such as Medallia Experience Cloud).

In the later case, Experience Cloud "owns" the data but manages it on behalf of users of a company.

Resource server
The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.

The Experience Cloud database and reports are the resources in this discussion.

An application requesting protected resources on behalf of the resource owner and with its authorization.

In Experience Cloud the client might be a Medallia Mobile or Medallia Voices app, or some other application accessing the resources on behalf of the company or a user of the company.

Authorization server
The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization. The authorization server may be the same server as the resource server or a separate entity.

In Experience Cloud the OAuth service performs authorization.

The four roles interact to grant authorization to the client (application) to allow it to access the protected resources.

Client request authorization from resource owner, requests access token fom authorization server, and requests resources from resource server

In Medallia Experience Cloud, client applications are pre-registered with Medallia, Inc. and have unique identification values (clientID). When a user uses the app to connect to Experience Cloud, the app requests authorization by passing the clientID and the session ID granted to the user during authentication. The combination of clientID and sessionID determine the resources available to the app and user.  Medallia Voices is an example of this kind of application.

Apps working on behalf of a user include the clientID and sessionID when requesting authorization

Client credentials protocol flow

Some applications or systems accessing Experience Cloud do not work on behalf of a specific user. For example, some applications directly feed new survey records on behalf of a company. These applications have a pre-authenticated identification (clientSecret) that together with the clientID identifies the app and grants access to the appropriate resources. Medallia for Digital is an example of this kind of application.

Client applications not representing a user have a clientSecret identification that is pre-authenticated and hard-coded into the app.

Note: In addition to OAuth, Medallia Mobile and Medallia Voices use Proof Key for Code Exchange (PKCE) to prevent malicious applications from attempting to use the access token. PKCE helps ensure that only the app that was issued the token is able to access the resources identified in the token.