OpenID Connect (OIDC)

Protect your Dydu solutions with OpenID Connect

Before you start

OpenID Connect (OIDC) is an authentication standard using the OAuth 2.0 protocol.

You can activate OIDC on Dydu's solutions to protect access to:

  • your Bot Management System. Only authorized users in your organization can have access to the BMS. To activate it, contact your Customer Success Manager.

  • your chatbot integrated into a website. By setting up OIDC on your chatbot, you secure the confidentiality of your knowledge base since only authenticated users can interact with the chatbot.

    Exception: chatbots available on other channels

    At the moment, we do not support OIDC on external channels (eg: Teams, Meta.). It means, for example, if you use Dydu chatbots for both your website and Microsoft Teams the use of OIDC on the web site chatbot will not impact the one on Teams. It will continue to answer unauthenticated users.

Prerequisite :

Before proceeding to set up OIDC on your Dydu's solutions, make sure you already have an OIDC configuration created on your Identity Provider's application.

Set up OIDC on your website chatbot

Overview

There are 2 steps (mandatory) to follow:

  1. Protect the Dydu API used by the chatbot

  2. Secure the chatbot display on your website

The second step needs to be done by your Account Manager or Customer Success Manager at Dydu.

Step 1. Protect the Dydu API used by the chatbot

This step consists of securing the Dydu API which allows the chatbot to send requests to the knowledge base of your BMS.

In your BMS, navigate to Preferences > Bot > General > Connections and tick the box "Enable OIDC".

The alternative option "Enable SAML" allows you to use the SAML standard to protect your chatbot. They can not be actif at the same time on one chatbot.

You will see 5 empty fields but only need to fill in 4 of them:

As to the 3 following fields:

  1. JWKS URI

  2. Userinfo endpoint URI

  3. Issuer

These are data that you can retrive directly from your OpenID Provider Configuration Information * document.

It is a json file specific to your OIDC configuration created via your Identity Provider's (Google, Azure AD, IBMid, Keycloak, etc. ) administration interface that is publicly accesseble through the path finishing with /.well-known/openid-configuration.

For example:

  • For Azure AD (Microsoft), the path can be: https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration

  • For Google, it can look like: https://accounts.google.com/.well-known/openid-configuration

You can find this document on your OIDC Provider's administration interface.

For instance, on Azure AD this document is accessible via Azure Active Directory > App registrations > your application > Endpoints > OpenID Connect metadata document.

If you do not know the complete path to this document, contact the person in charge of the Identity Provider of your organisation.

Regarding to the last 2 fields:

  1. Client secret (not recommanded)

  2. Audience

You can find the required information in your OIDC application created via your OIDC provider administration tool.

You only need to fill in either Client secret or JWKS URL. We recommand you to use the "JWKS URI" which has more certificats to verify and validate the token sent to Dydu's API.

The Audience field refers generally to the Client ID. An example in Keycloak :

Once you have filled in these 4 fields, click on Update to save your changes. From now on, the Dydu API is protected by OIDC and let's do the same for your chatbot!

Note - if your provider is Azure AD:

Dydu does not support the Implicit grant and hybrid flows options available under the Authentication tab of your Azure OIDC application.

Make sure to not activate them.

Step 2. Secure the chatbot display on your website

You need to secure the display of your chatbot by making it visible only to authenticated users.

This step needs to be done by your Account Manager or Customer Succes Manager at Dydu who will gather the required information from you to finish the process.

Step 3. Time to test!

To see if OIDC is effective on your chatbot, create a test page via Channels > Dydubox by publishing your Dydubox configuration.

Once you open that page you will be redirected to the authentication page of your OIDC provider.

Only after you log in can you see the chatbot and interact with it.

Reminder 1 :

Make sure you have added the URIs of your website chatbot as the redirect URIs in your OIDC provider application so that users can be redirected to the chatbot page after being logged-in.

Reminder 2 :

When OIDC is activated, the preview on the Channel > Dydubox page will only answer with social interaction phrases.

If you want to test with your entire knowledge base, go to the chatbot test page mentioned above.

Last updated

Tous droits réservés @ 2023 dydu.