OBO Authentication
OBO or On-Behalf-Of authentication allows an authenticated extension app to perform the following operations on behalf of a given user:
List the streams of a given user
Initiate connection requests to and determine connection status with other users
Get the presence state of other connected users
Initiate IMs and MIMs with other users
Send messages and attachments
Set the context user's own presence
For a full list of OBO-Enabled endpoints, click here.
OBO use cases differ from bot use cases in that activities are performed as if end users had initiated actions directly from within Symphony themselves.
For OBO apps, authentication is a two-fold process:
The app itself must be authenticated using its RSA public Key. The app authenticates only if it is enabled for the pod and its key is trusted. Upon successful OBO app authentication, the app receives an app
sessionToken
.The app must request to authenticate on behalf of a particular user, using its app
sessionToken
. The app authenticates only if it is installed for the user and its appsessionToken
is valid. Upon successful OBO user authentication, the app receives the user'ssessionToken
.
Once the app has obtained the user's sessionToken
, it can make REST API calls with this sessionToken
to perform activities on behalf of the session user.
OBO App Permissions
Before proceeding, check out the OBO App permissions required for a given workflow:
Getting Started
In order to perform an OBO operation, you need to first create an extension application manifest
bundle.json
file and upload to the Pod.
Application Manifest Bundle File Sample:
Upload the manifest
bundle.json
to the Admin Portal -> App Management -> Add Custom App -> Import Application Bundle FileAdd your App Backend's (Bot) RSA public key in the Authentication section under App Management.
Give your Application the following Permissions:
ACT_AS_USER
Note: Give your extension application the appropriate permissions corresponding to your OBO workflow. For example, if you Bot will perform an OBO workflow to list a user's streams, grant your application with the LIST_USER_STREAMS permission.
Once your App is created, make sure that it is enabled:
Admin Portal -> App Settings -> Locate your App and toggle its 'Global Status' to be 'Enabled'
Toggle 'Visibility' to be 'Visible'
Toggle 'Installation' to be 'Manual'
The last step is to make sure that the application is installed for the appropriate users. If the installation is set to 'Manual', make sure end-users install the extension application manually via the Symphony Marketplace. If not, make sure Symphony Admin installs this application on behalf of a given list of users.
Implementing OBO Authentication
The BDK 2.0 makes it super simple to create an OBO based workflow, To do so, simply, simply instantiate an OBO Session in your Bot project. The BDK 2.0 allows you to instantiate your OBO session from a username or user ID.
Perform the Intended OBO workflow
In the following code snippet, the Bot authenticates on behalf of a given user and then prints a list of Streams (Type = ROOM) that the user in context is apart of:
Last updated