Adapter authentication
Communications between Medallia Conversations and the custom adapter require authentication
The custom channel adapter must implement authorization for inbound and outbound communications with Medallia Conversations. The authentication mechanisms are:
| Auth type | Inbound | Outbound |
|---|---|---|
| OAuth2 | Yes | Yes |
| API-Token | No | Yes (default) |
| Custom signature | Yes (default) | No |
The outbound and inbound paths may use different mechanisms.
OAuth2
OAuth2 uses the "Client credentials protocol flow" OAuth scheme which relies on a separate authentication service to verify the system making the request. When the adapter or Medallia Conversations makes a request to the other system, it must first obtain an access token from the OAuth2 service, as identified by the OAuth2 server URL setting. When making the token request, the requester includes the Client ID and Client secret to identify the requester to the service. The requester then includes the access token as an Authorization: Oauth header in the API call to the other system.
curl -X POST -H "Authorization: Bearer <ACCESS_TOKEN>" …For inbound calls, you can set the length of time the access token is valid. The adapter may use the same token until it expires as defined by the Access token lifetime, then the adapter must obtain a new access token.
API-token
Communications are POST requests with an access token passed as a query parameter named access_token, like this:
{custom-adapter-uri}/?access_token={access-token}The {access-token} can be any random string of ASCII text characters or numerals. The adapter is responsible for accepting or rejecting the token value. Whoever implements the adapter must provide the token value, and that value is entered in the Token property of the custom channel configuration.
Inbound authentication (signed request)
Inbound communications using Signed Requests must include:
A <PAGE_ID> in the payload that identifies the messaging application instance on the adapter. Each instance on the adapter must have a unique Page ID defined in the custom channel's settings.
The HTTP post request must contain an
X-Hub-Signatureheader with the SHA1 signature of the post payload. The signature is calculated using the keyed-hash message authentication code (HMAC) where the key is the <APP_SECRET> specified by the Secret property in the channel definition. The signature is then prefixed withsha1=.Important: TheX-Hub-Signatureheader label must be spelled exactly as shown, in the case shown. Other systems allow the string to be in any case.
For more information, see the reference implementation at https://github.com/medallia/medallia-conversations-adapter/blob/master/src/helpers/generateSignature.js.
A Postman Pre-request script should look similar to this:
curl -X POST \
https://conversations.medallia.com/cg/mc/custom/8ace4092-bd99-1e19-b7d5-8b6b3b20a9cc \
-H 'Cache-Control: no-cache' \
-H 'Content-Type: application/json' \
-H 'Postman-Token: ef9c3441-f01c-fb94-6a99-1750134112e5' \
-H 'X-Hub-Signature: sha1={{signature}}' \
-d '{ "object": "page", "entry": [ { "id": "237129", "time": "1564561788" } ], "messaging": [ { "sender": { "id": "+639054680168" }, "recipient": { "id": "237129" }, "timestamp": "1564561788", "message": { "text": "foo" } } ] }'