diff --git a/auth4genai/docs.json b/auth4genai/docs.json index 6379522ee..e2f02ad00 100644 --- a/auth4genai/docs.json +++ b/auth4genai/docs.json @@ -56,7 +56,6 @@ "pages": [ "intro/token-vault", "intro/integrations", - "intro/account-linking", "intro/call-others-apis-on-users-behalf" ] }, @@ -88,13 +87,6 @@ "icon": "robot", "pages": ["sample-apps"] }, - { - "group": "Guides", - "icon": "graduation-cap", - "pages": [ - "guides/client-initiated-account-linking" - ] - }, { "group": "Glossary", "icon": "compass", diff --git a/auth4genai/get-started/call-others-apis-on-users-behalf.mdx b/auth4genai/get-started/call-others-apis-on-users-behalf.mdx index 141e6c4c5..db62e06b5 100644 --- a/auth4genai/get-started/call-others-apis-on-users-behalf.mdx +++ b/auth4genai/get-started/call-others-apis-on-users-behalf.mdx @@ -13,8 +13,9 @@ Use Auth0 SDKs to fetch access tokens for social and enterprise identity provide By the end of this quickstart, you should have an AI application integrated with Auth0 that can: -1. Retrieve access tokens for a Google social connection. -2. Integrate with an AI agent to call Google APIs. +1. Initiate a Connected Accounts flow that will allow the user to connect their Google account and grant access to the AI agent. +2. Retrieve access tokens for a Google social connection. +3. Integrate with an AI agent to call Google APIs. ## Pick your tech stack @@ -50,5 +51,4 @@ By the end of this quickstart, you should have an AI application integrated with You have successfully added the ability to get access tokens for tool calling to your application. For next steps: - [Call your APIs on user's behalf docs](/intro/call-your-apis-on-users-behalf). -- Learn more about [Client-initiated account linking](/guides/client-initiated-account-linking). - Learn more about how Auth0's [Token Vault](https://auth0.com/docs/secure/tokens/token-vault) manages the tokens of supported identity providers. diff --git a/auth4genai/guides/client-initiated-account-linking.mdx b/auth4genai/guides/client-initiated-account-linking.mdx deleted file mode 100644 index 99e581f0b..000000000 --- a/auth4genai/guides/client-initiated-account-linking.mdx +++ /dev/null @@ -1,100 +0,0 @@ ---- -title: Client-Initiated Account Linking -description: Learn how Auth0 for AI Agents enables AI agents to link user accounts. -sidebarTitle: Client-Initiated Account Linking ---- -import { Prerequisites } from "/snippets/get-started/prerequisites/account-linking.jsx"; -import { AccountAndAppSteps } from "/snippets/get-started/prerequisites/account-app-steps.jsx"; - -Client-initiated account linking enables AI agents to request access and connect to multiple identity providers on the user’s behalf through Auth0. - -When a user authenticates with a supported identity provider, Auth0 creates a new identity associated with the connection in the user profile’s `identities` array. A user can have multiple identities associated with various identity providers. - -Account linking is the process of linking multiple identities in a single user profile. As a result, users can log into supported identity providers with a single set of credentials instead of creating a separate user account for each identity provider. To learn more, read [Account linking](/intro/account-linking). - -In Client-initiated account linking, the client initiates the account linking request to Auth0 on the user’s behalf. When the client attempts to access an external provider’s API that the user has not granted access to, Auth0 returns a response that it cannot find the access token for that service, triggering the account linking flow. - - - -## How it works - -Let's walk through a real-world example: After authenticating via Auth0 using [Passkeys](https://auth0.com/docs/authenticate/database-connections/passkeys), a user asks an AI agent integrated with a productivity app to fetch Google Calendar events: - -1. The application calls the Agent API with an Auth0 access token and the user input “Get Google Calendar events for today and tomorrow.” -2. The Agent API uses an Auth0 access token to call Auth0 and requests a Google access token with the Calendar scopes. -3. Auth0 looks for a Google access token with the requested Calendar scopes in the secure [Token Vault](https://auth0.com/docs/secure/tokens/token-vault). Because the user has not authorized access to the Google Calendar API, Auth0 returns a `tokenset_not_found` response. -4. The Agent API returns this response to the application, which initiates an account linking request to Auth0. -5. When the user authorizes access to the Google Calendar API, they also authorize Auth0 to perform the account linking flow. -6. Auth0 then uses the Google access token to call the Google Calendar API and complete the operation. - - -![Client-initiated account linking flow](/img/client_initiated_account_linking.png) - - -When the primary user logs in via `/authorize`, the Client-Initiated Account Linking [`post-login`](https://auth0.com/docs/customize/actions/explore-triggers/signup-and-login-triggers/login-trigger#login-post-login) Action checks for the `link_account` scope and attempts to link the requested user account (secondary account) with their existing logged in account (primary account). In our example, the user's Auth0 account is the primary account and the user's Google account is the secondary account. - -## Link user accounts - - - - - To link user accounts, generate an authorize URL and pass the `link_account` scope along with the following parameters: - - | **Parameter** | **Description** | - |-----------|-------------| - | `scope` | Set to `link_account` to link accounts. | - | `requested_connection` | The name of the connection you want to link accounts with. | - | `requested_connection_scope` | The requested connection’s scopes. | - | `id_token_hint` | The ID token issued for the primary user. | - - ```tsx wrap lines - // src/app/page.tsx - import { auth0 } from "@/lib/auth0"; - - async function generateAccountLinkingHref(requested_connection: string) { - "use server"; - const session = await auth0.getSession(); - const id_token_hint = session!.tokenSet!.idToken!; - const authParams = new URLSearchParams({ - scope: "link_account openid profile offline_access", - requested_connection, - id_token_hint, - }).toString(); - - return `/auth/login?${authParams}`; - } - - export default async function Home() { - return ( - - Link Google Account - - ); - } - ``` - - When the account linking flow has been triggered: - - 1. The Action checks if the user has a linked account for the requested connection by searching the user profile’s `identities` array. If a linked account for the requested connection already exists, the Action exits the account linking flow. - 2. The Action validates the ID token passed to `id_token_hint` by verifying that its `sub` claim matches the session's user ID. Note that the ID token shouldn’t be older than the expiration defined in the `exp` claim. - 3. After the Action determines that the currently logged-in user is the same user Auth0 is requesting account linking for, Auth0 validates that the user has access to the requested connection. - 4. The user authenticates with the requested connection by logging into their secondary account. If the secondary account requires MFA, the user authenticates with the configured MFA factor. - 5. Auth0 redirects back to the Action with the ID token from the secondary account authentication. - 6. After the Action validates the ID token, it uses Auth0 SDKs to link accounts into a single user profile. The secondary account is added to the user profile’s `identities` array. - 7. The Action sets the user ID back to that of the primary account. The user account linking flow completes and redirects the user back to your application. - - - - -Coming soon... - - - -## Unlink accounts - -To unlink accounts, use the Management API to call the [Unlink a user account](https://auth0.com/docs/api/management/v2#!/Users/delete_user_identity_by_user_id) endpoint. To learn more, read [Unlink user accounts](https://auth0.com/docs/manage-users/user-accounts/user-account-linking/unlink-user-accounts). - -## Learn more - -- Learn more about how to [link user accounts in Auth0](https://auth0.com/docs/manage-users/user-accounts/user-account-linking/link-user-accounts). -- Learn more about how to [unlink user accounts in Auth0](https://auth0.com/docs/manage-users/user-accounts/user-account-linking/unlink-user-accounts). diff --git a/auth4genai/integrations/basecamp.mdx b/auth4genai/integrations/basecamp.mdx index ca84e4e4d..644ec0bf9 100644 --- a/auth4genai/integrations/basecamp.mdx +++ b/auth4genai/integrations/basecamp.mdx @@ -37,10 +37,10 @@ Connect your AI agent to a user's Basecamp account to create new projects, add t To configure the Token Vault for your Basecamp connection, you can use the following code snippet in your application: - - \ No newline at end of file + diff --git a/auth4genai/integrations/bitbucket.mdx b/auth4genai/integrations/bitbucket.mdx index 14de70b1c..9b345a67f 100644 --- a/auth4genai/integrations/bitbucket.mdx +++ b/auth4genai/integrations/bitbucket.mdx @@ -40,10 +40,10 @@ Connect your AI agent to Bitbucket to manage repositories, automate pull request To configure the Token Vault for your Bitbucket connection, you can use the following code snippet in your application: - - \ No newline at end of file + diff --git a/auth4genai/integrations/box.mdx b/auth4genai/integrations/box.mdx index cc1f05702..afd1a2151 100644 --- a/auth4genai/integrations/box.mdx +++ b/auth4genai/integrations/box.mdx @@ -1,38 +1,40 @@ --- title: Box -description: "Connect your AI Agents to Box for file management and collaboration." --- import FindDomainInfoBlock from "/snippets/common/find-domain-info-block.mdx"; -import AddConnectionInAuth0 from "/snippets/integrations/add-connection-auth0.mdx"; -import LearnMore from "/snippets/integrations/learn-more.mdx"; +import { IntegrationInfoBlock } from "/snippets/integrations/IntegrationInfoBlock.jsx"; +import { Auth0SetupBlock } from "/snippets/integrations/Auth0SetupBlock.jsx"; +import { TokenVaultConfigBlock } from "/snippets/integrations/TokenVaultConfigBlock.jsx"; +import NextStepsBlock from "/snippets/integrations/next-step.mdx"; -The Box integration enables your AI Agents to authenticate users with their Box accounts and access their file storage. +Connect your AI Agents to Box for file management and collaboration. -## Overview - -Box is an enterprise-focused cloud storage and collaboration platform. This integration allows AI agents to securely access, manage, and collaborate on files stored in Box, making it ideal for business applications that need document management capabilities. - -## Configuration +## Connect Box to Auth0 - + 1. Sign up for a [Box Developer account](https://developers.box.com/) 2. Set up an app using Box's [Custom Apps: Setup with OAuth 2.0](https://developer.box.com/guides/applications/custom-apps/oauth2-setup/) documentation 3. Note your **Client ID** and **Client Secret** - - - 1. Use the following settings when configuring your app: - - Redirect URI: `https://YOUR_AUTH0_DOMAIN/login/callback` - - Application Scopes: Select the permissions you want to enable for this connection. - - + + - + + +## Token Vault configuration example + +To configure the Token Vault for your Box connection, you can use the following code snippet in your application: + + - + diff --git a/auth4genai/integrations/digitalocean.mdx b/auth4genai/integrations/digitalocean.mdx index a6c3aa32a..be49fa1b0 100644 --- a/auth4genai/integrations/digitalocean.mdx +++ b/auth4genai/integrations/digitalocean.mdx @@ -26,6 +26,7 @@ Connect your AI agent to a user's DigitalOcean account to automate the creation 5. Click **Register OAuth Application** and note your **Client ID** and **Client Secret**. To learn more about DigitalOcean OAuth setup, read the [DigitalOcean OAuth API documentation](https://docs.digitalocean.com/reference/api/oauth/). + @@ -38,10 +39,11 @@ Connect your AI agent to a user's DigitalOcean account to automate the creation To configure the Token Vault for your DigitalOcean connection, you can use the following code snippet in your application: - - \ No newline at end of file + diff --git a/auth4genai/integrations/discord.mdx b/auth4genai/integrations/discord.mdx index fa7aacff3..0e39c5041 100644 --- a/auth4genai/integrations/discord.mdx +++ b/auth4genai/integrations/discord.mdx @@ -23,7 +23,7 @@ Connect your AI agent to a Discord server to welcome new members, play music, ma 5. Set permissions/scopes you need: - For basic login, the **identify** scope is generally required to get basic user information 6. Save changes - + To learn more about setting up Discord, read the [Login with Discord documentation](https://discord.com/developers/docs/topics/oauth2). @@ -37,10 +37,10 @@ Connect your AI agent to a Discord server to welcome new members, play music, ma To configure the Token Vault for your Discord connection, you can use the following code snippet in your application: - - \ No newline at end of file + diff --git a/auth4genai/integrations/dropbox.mdx b/auth4genai/integrations/dropbox.mdx index f4d1836b3..b15a72425 100644 --- a/auth4genai/integrations/dropbox.mdx +++ b/auth4genai/integrations/dropbox.mdx @@ -32,7 +32,7 @@ Connect your AI agent to a user's Dropbox account to automatically organize file To learn more about setting up Dropbox, read the [Developer guide for Dropbox documentation](https://www.dropbox.com/developers/documentation/http/documentation). - + @@ -42,10 +42,10 @@ Connect your AI agent to a user's Dropbox account to automatically organize file To configure the Token Vault for your Dropbox connection, you can use the following code snippet in your application: - - \ No newline at end of file + diff --git a/auth4genai/integrations/figma.mdx b/auth4genai/integrations/figma.mdx index f5094af8b..a1c90d49f 100644 --- a/auth4genai/integrations/figma.mdx +++ b/auth4genai/integrations/figma.mdx @@ -37,10 +37,11 @@ Connect your AI agent to a user's Figma account to export assets, apply changes To configure the Token Vault for your Figma connection, you can use the following code snippet in your application: - diff --git a/auth4genai/integrations/fitbit.mdx b/auth4genai/integrations/fitbit.mdx index 755f6af01..58fd1bd28 100644 --- a/auth4genai/integrations/fitbit.mdx +++ b/auth4genai/integrations/fitbit.mdx @@ -39,10 +39,11 @@ Connect your AI agent to a user's Fitbit account to track fitness data, log acti To configure the Token Vault for your Fitbit connection, you can use the following code snippet in your application: - - \ No newline at end of file + diff --git a/auth4genai/integrations/freshbooks.mdx b/auth4genai/integrations/freshbooks.mdx index cbed46c6e..7d7d23603 100644 --- a/auth4genai/integrations/freshbooks.mdx +++ b/auth4genai/integrations/freshbooks.mdx @@ -40,10 +40,47 @@ Connect your AI agent to a user's FreshBooks account to create and send invoices To configure the Token Vault for your FreshBooks connection, you can use the following code snippet in your application: - + + + ```tsx wrap lines + const auth0AI = new Auth0AI(); + + export const withFreshbooksConnection = auth0AI.withTokenVault({ + connection: "freshbooks", + scopes: [ + // required scopes for Token Vault + "user:profile:read", + // optional scopes specific to your app + ... + ], + refreshToken: getAuth0RefreshToken(), + authorizationParams: { + prompt: "login", + }, + }); + ``` + + + + ```python wrap lines + auth0_ai = Auth0AI() + + with_freshbooks_connection = auth0_ai.with_token_vault( + connection="freshbooks", + scopes=[ + # required scopes for Token Vault + "user:profile:read", + # optional scopes specific to your app + ... + ], + refresh_token=get_auth0_refresh_token, + authorization_params={ + "prompt": "login", + }, + ) + ``` + + + diff --git a/auth4genai/integrations/github.mdx b/auth4genai/integrations/github.mdx index de1431bb6..b58b44c82 100644 --- a/auth4genai/integrations/github.mdx +++ b/auth4genai/integrations/github.mdx @@ -1,18 +1,15 @@ --- title: GitHub -description: "Connect your AI Agents to GitHub for repository access, issue management, and developer workflows." --- import FindDomainInfoBlock from "/snippets/common/find-domain-info-block.mdx"; -import LearnMore from "/snippets/integrations/learn-more.mdx"; +import { IntegrationInfoBlock } from "/snippets/integrations/IntegrationInfoBlock.jsx"; +import { Auth0SetupBlock } from "/snippets/integrations/Auth0SetupBlock.jsx"; +import NextStepsBlock from "/snippets/integrations/next-step.mdx"; -The GitHub integration allows your AI Agents to authenticate users with their GitHub accounts and access GitHub repositories through GitHub's APIs. +Connect your AI Agents to GitHub for repository access, issue management, and developer workflows. -## Overview - -The GitHub integration is perfect for developer focused AI applications that need to interact with code repositories, manage issues, or automate development workflows. This integration provides access to both public and private repositories based on user permissions. - -## Configuration +## Connect GitHub to Auth0 GitHub app permissions @@ -22,7 +19,7 @@ GitHub apps [use fine grained permissions](https://docs.github.com/en/enterprise - +
  1. Sign up for a [GitHub Developer account](https://github.com/signup) @@ -60,10 +57,9 @@ GitHub apps [use fine grained permissions](https://docs.github.com/en/enterprise GitHub OAuth app you created.
  2. - In **Advanced**, toggle **Enable Token Vault**. This allows the - connection to retrieve and store access tokens for third-party APIs - securely. To learn more, read [Configure Token - Vault](https://auth0.com/docs/secure/tokens/token-vault/configure-token-vault). + In **Purpose**, toggle on **Use for Connected Accounts for Token Vault**. This allows the + connection to retrieve and securely store access tokens for external APIs. To learn more, read [Connected Accounts for Token + Vault](https://auth0.com/docs/secure/tokens/token-vault/connected-accounts-for-token-vault).
  3. Click **Create**.
  4. @@ -74,6 +70,8 @@ GitHub apps [use fine grained permissions](https://docs.github.com/en/enterprise + + ## Token Vault configuration Example To configure the Token Vault for your GitHub connection, you can use the following code snippet in your application: @@ -107,4 +105,4 @@ To configure the Token Vault for your GitHub connection, you can use the followi - + diff --git a/auth4genai/integrations/google-workspace.mdx b/auth4genai/integrations/google-workspace.mdx index 393e3ef13..6f5e57ce7 100644 --- a/auth4genai/integrations/google-workspace.mdx +++ b/auth4genai/integrations/google-workspace.mdx @@ -22,9 +22,10 @@ To set up a Google Workspace connection with Auth0, follow the [Connect Your App To configure the Token Vault for your Google Workspace connection, you can use the following code snippet in your application: + scopes={["email"]} + optionalScopes={["https://www.googleapis.com/auth/spreadsheets.readonly","https://www.googleapis.com/auth/admin.directory.user.readonly"]} +/> diff --git a/auth4genai/integrations/google.mdx b/auth4genai/integrations/google.mdx index 2e31278ab..76a72f86b 100644 --- a/auth4genai/integrations/google.mdx +++ b/auth4genai/integrations/google.mdx @@ -103,7 +103,7 @@ Enable Google APIs for your OAuth 2.0 Client: Navigate to the [Google API Library](https://console.cloud.google.com/apis/library). Then, search for your Google API and select it from the results. - For each Google API you want to enable, select **Enable**. + For each Google API you want to enable, select **Enable**. @@ -132,18 +132,15 @@ Use the [Auth0 Dashboard](https://manage.auth0.com/) to create a new Google soci
    5. - - In **Permissions**, select all the required scopes. When you get an access - token for the Google social connection, it will contain the appropriate - scopes so you can use it to call the required Google APIs. + + In **Purpose**, toggle **Use for Connected Accounts**. This allows the connection + to retrieve and securely store access tokens for external APIs. To learn + more, read [Connected Accounts for Token Vault](https://auth0.com/docs/secure/tokens/token-vault/connected-accounts-for-token-vault). - - In **Advanced**, toggle **Enable Token Vault**. This allows the connection - to retrieve and store access tokens for third-party APIs securely. To learn - more, read [Configure Token - Vault](https://auth0.com/docs/secure/tokens/token-vault/configure-token-vault). + + In **Permissions**, select Offline Access, allowing your client application to obtain an Auth0 refresh token. When you get an access token for the Google social connection, it will contain the appropriate + scopes so you can use it to call the required Google APIs. - Click **Save Changes**. After saving, go the **Applications** tab and select the applications that should use this connection. @@ -165,7 +162,7 @@ To configure the Token Vault for your Google connection, you can use the followi export const withGoogleConnection = auth0AI.withTokenVault({ connection: "google-oauth2", - scopes: ["https://www.googleapis.com/auth/calendar.freebusy", ...], + scopes: ["openid", "https://www.googleapis.com/auth/calendar.freebusy", ...], refreshToken: getAuth0RefreshToken(), }); ``` @@ -177,7 +174,7 @@ To configure the Token Vault for your Google connection, you can use the followi with_google_connection = auth0_ai.with_token_vault( connection="google-oauth2", - scopes=["https://www.googleapis.com/auth/calendar.freebusy", ...], + scopes=["openid", "https://www.googleapis.com/auth/calendar.freebusy", ...], refresh_token=get_auth0_refresh_token, ) ``` diff --git a/auth4genai/integrations/hugging-face.mdx b/auth4genai/integrations/hugging-face.mdx index af13d9efd..70e452645 100644 --- a/auth4genai/integrations/hugging-face.mdx +++ b/auth4genai/integrations/hugging-face.mdx @@ -40,10 +40,10 @@ Connect your AI agent to a user's Hugging Face account to manage and upload mode To configure the Token Vault for your Hugging Face connection, you can use the following code snippet in your application: - diff --git a/auth4genai/integrations/microsoft-azure.mdx b/auth4genai/integrations/microsoft-azure.mdx index a01354e1a..7a1058fcf 100644 --- a/auth4genai/integrations/microsoft-azure.mdx +++ b/auth4genai/integrations/microsoft-azure.mdx @@ -22,9 +22,10 @@ To set up a Microsoft Entra connection with Auth0, follow the [Connect Your App To configure the Token Vault for your Microsoft Entra connection, you can use the following code snippet in your application: + scopes={["openid", "offline_access"]} + optionalScopes={["https://graph.microsoft.com/Files.Read","https://graph.microsoft.com/Directory.Read.All"]} +/> diff --git a/auth4genai/integrations/microsoft.mdx b/auth4genai/integrations/microsoft.mdx index 76ccbdc89..aed763721 100644 --- a/auth4genai/integrations/microsoft.mdx +++ b/auth4genai/integrations/microsoft.mdx @@ -1,22 +1,19 @@ --- title: Microsoft -description: "Connect your AI Agents to Microsoft services including Outlook, Teams, OneDrive, and more." --- import FindDomainInfoBlock from "/snippets/common/find-domain-info-block.mdx"; -import AddConnectionInAuth0 from "/snippets/integrations/add-connection-auth0.mdx"; -import LearnMore from "/snippets/integrations/learn-more.mdx"; +import { IntegrationInfoBlock } from "/snippets/integrations/IntegrationInfoBlock.jsx"; +import { Auth0SetupBlock } from "/snippets/integrations/Auth0SetupBlock.jsx"; +import { TokenVaultConfigBlock } from "/snippets/integrations/TokenVaultConfigBlock.jsx"; +import NextStepsBlock from "/snippets/integrations/next-step.mdx"; -The Microsoft integration enables your AI Agents to access Microsoft applications and services. - -## Overview - -The Microsoft integration provides access to Microsoft's ecosystem of applications and services. This integration is essential for B2B scenarios where users need to access their work data and collaborate through Microsoft services. +Connect your AI Agents to Microsoft services including Outlook, Teams, OneDrive, and more. ## Configuration - + 1. [Sign up for an account on the Azure portal](https://azure.microsoft.com/en-us/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio) @@ -24,7 +21,7 @@ The Microsoft integration provides access to Microsoft's ecosystem of applicatio Tenant](https://learn.microsoft.com/en-us/entra/external-id/customers/quickstart-tenant-setup) - + 1. Register an app in Azure using Microsoft's [Quickstart: Register an application with the Microsoft identity @@ -35,16 +32,21 @@ The Microsoft integration provides access to Microsoft's ecosystem of applicatio make note of these. - + + + + - 1. Use the following settings when configuring your app: - - Redirect URI: `https://YOUR_AUTH0_DOMAIN/login/callback` + - +## Token Vault configuration example - - +To configure the Token Vault for your Microsoft connection, you can use the following code snippet in your application: - + - + diff --git a/auth4genai/integrations/oauth2.mdx b/auth4genai/integrations/oauth2.mdx index 575200abe..b4407da7f 100644 --- a/auth4genai/integrations/oauth2.mdx +++ b/auth4genai/integrations/oauth2.mdx @@ -13,8 +13,8 @@ If a specific identity provider or service isn't available out of the box, Auth0 To learn more and configure a custom OAuth2 connection with Auth0, see our [Connect Apps to Generic OAuth2 Authorization Servers documentation](https://auth0.com/docs/authenticate/identity-providers/social-identity-providers/oauth2). -## Configure Token Vault +## Configure Connected Accounts for Token Vault -After creating the connection, at the bottom of the connection settings in the **Advanced** section enable the **Enable Token Vault** toggle. This will allow your connection to retrieve and store access tokens for third-party APIs. +After creating the connection, in the **Purpose** section, toggle on **Use for Connected Accounts for Token Vault**. This allows your connection to retrieve and securely store access tokens for external APIs. To learn more, read [Connected Accounts for Token Vault](https://auth0.com/docs/secure/tokens/token-vault/connected-accounts-for-token-vault). diff --git a/auth4genai/integrations/salesforce.mdx b/auth4genai/integrations/salesforce.mdx index 6ed5502c6..97f9ab088 100644 --- a/auth4genai/integrations/salesforce.mdx +++ b/auth4genai/integrations/salesforce.mdx @@ -55,7 +55,7 @@ Connect your AI agent to a user's Salesforce account to create or update leads a - `api` - Access and manage your data - `refresh_token` - Perform requests on your behalf at any time - `offline_access` - Maintain access when you're not present - + These scopes must also be enabled in your Salesforce Connected App configuration. @@ -67,10 +67,10 @@ Connect your AI agent to a user's Salesforce account to create or update leads a To configure the Token Vault for your Salesforce connection, you can use the following code snippet in your application: - ## Troubleshooting @@ -90,4 +90,4 @@ If you encounter `invalid_grant` errors with expired access/refresh tokens: For additional troubleshooting resources, refer to Salesforce's OAuth troubleshooting documentation and error code references. - \ No newline at end of file + diff --git a/auth4genai/integrations/slack.mdx b/auth4genai/integrations/slack.mdx index b7693d8f8..dd3aa06ec 100644 --- a/auth4genai/integrations/slack.mdx +++ b/auth4genai/integrations/slack.mdx @@ -1,21 +1,19 @@ --- title: Slack -description: "Connect your AI Agents to Slack for team communication and workflow automation." --- import FindDomainInfoBlock from "/snippets/common/find-domain-info-block.mdx"; -import LearnMore from "/snippets/integrations/learn-more.mdx"; +import { IntegrationInfoBlock } from "/snippets/integrations/IntegrationInfoBlock.jsx"; +import { Auth0SetupBlock } from "/snippets/integrations/Auth0SetupBlock.jsx"; +import { TokenVaultConfigBlock } from "/snippets/integrations/TokenVaultConfigBlock.jsx"; +import NextStepsBlock from "/snippets/integrations/NextStepsBlock.mdx"; -The Sign in with Slack integration enables your AI Agents to authenticate users with their Slack accounts and interact with Slack workspaces on their behalf. +Connect your AI Agents to Slack for team communication and workflow automation. -## Overview - -The Sign in with Slack integration is ideal for AI agents that need to participate in team communications, automate workflows, or provide intelligent assistance within Slack workspaces. This connection provides access to messages, channels, and workspace data. - -## Configuration +## Connect Slack to Auth0 - +
    1. Sign up for a [Slack Developer account](https://slack.com/signin). @@ -61,10 +59,9 @@ The Sign in with Slack integration is ideal for AI agents that need to participa Slack OAuth app you created.
    2. - In **Advanced**, toggle **Enable Token Vault**. This allows the - connection to retrieve and store access tokens for third-party APIs - securely. To learn more, read [Configure Token - Vault](https://auth0.com/docs/secure/tokens/token-vault/configure-token-vault). + In **Purpose**, toggle **Use for Connected Accounts for Token Vault**. This allows the + connection to retrieve and securely store access tokens for external APIs + . To learn more, read [Configure Connected Accounts for Token Vault](https://auth0.com/docs/secure/tokens/token-vault/connected-accounts-for-token-vault).
    3. Click **Create**.
    4. @@ -75,35 +72,16 @@ The Sign in with Slack integration is ideal for AI agents that need to participa + + ## Token Vault configuration Example To configure the Token Vault for your GitHub connection, you can use the following code snippet in your application: - - - ```tsx wrap lines - const auth0AI = new Auth0AI(); - - export const withSlackConnection = auth0AI.withTokenVault({ - connection: "sign-in-with-slack", - scopes: ["channels:read", ...], - refreshToken: getAuth0RefreshToken(), - }); - ``` - - - - ```python wrap lines - auth0_ai = Auth0AI() - - with_slack_connection = auth0_ai.with_token_vault( - connection="sign-in-with-slack", - scopes=["channels:read", ...], - refresh_token=get_auth0_refresh_token, - ) - ``` - - - + - + diff --git a/auth4genai/integrations/snapchat.mdx b/auth4genai/integrations/snapchat.mdx index a5a75cf8d..ec7397e8b 100644 --- a/auth4genai/integrations/snapchat.mdx +++ b/auth4genai/integrations/snapchat.mdx @@ -16,7 +16,7 @@ Connect your AI agent to a user's Snapchat account to share content like photos, 1. Visit the [Snapchat Developer account](https://developers.snapchat.com/) page and sign up. 2. Navigate to the [Snap Kit Portal](https://developers.snap.com/snap-kit/home) and create a new app in the Snapchat Developer Portal. - 3. You will need to pick the libraries you plan to use: Login Kit is required at the minimum. Ensure **Login Kit** is enabled for your app. + 3. You will need to pick the libraries you plan to use: Login Kit is required at the minimum. Ensure **Login Kit** is enabled for your app. 4. Generate a Confidential OAuth 2.0 Client ID and Client Secret and note: - **Client ID** (OAuth client_id) - **Client Secret** (OAuth client_secret) @@ -43,10 +43,10 @@ Connect your AI agent to a user's Snapchat account to share content like photos, To configure the Token Vault for your Snapchat connection, you can use the following code snippet in your application: - diff --git a/auth4genai/integrations/spotify.mdx b/auth4genai/integrations/spotify.mdx index 265ef12ef..f1ed756a2 100644 --- a/auth4genai/integrations/spotify.mdx +++ b/auth4genai/integrations/spotify.mdx @@ -40,7 +40,8 @@ To configure the Token Vault for your Spotify connection, you can use the follow diff --git a/auth4genai/integrations/tumblr.mdx b/auth4genai/integrations/tumblr.mdx index 8344d8b52..2b883aaa0 100644 --- a/auth4genai/integrations/tumblr.mdx +++ b/auth4genai/integrations/tumblr.mdx @@ -24,7 +24,7 @@ Connect your AI agent to a user's Tumblr blog to create and schedule new posts, 5. Note your **OAuth consumer key** and **OAuth consumer secret** - + @@ -37,7 +37,7 @@ To configure the Token Vault for your Tumblr connection, you can use the followi - \ No newline at end of file + diff --git a/auth4genai/integrations/twitch.mdx b/auth4genai/integrations/twitch.mdx index 2d03eacee..02812ef5c 100644 --- a/auth4genai/integrations/twitch.mdx +++ b/auth4genai/integrations/twitch.mdx @@ -42,10 +42,11 @@ Connect your AI agent to a user's Twitch channel to create stream markers, manag To configure the Token Vault for your Twitch connection, you can use the following code snippet in your application: - - \ No newline at end of file + diff --git a/auth4genai/integrations/twitter.mdx b/auth4genai/integrations/twitter.mdx index a5bb64d3f..61b451ffc 100644 --- a/auth4genai/integrations/twitter.mdx +++ b/auth4genai/integrations/twitter.mdx @@ -41,10 +41,11 @@ Connect your AI agent to a user's Twitter account to monitor for specific keywor To configure the Token Vault for your X connection, you can use the following code snippet in your application: - - \ No newline at end of file + diff --git a/auth4genai/intro/account-linking.mdx b/auth4genai/intro/account-linking.mdx deleted file mode 100644 index c4e69087c..000000000 --- a/auth4genai/intro/account-linking.mdx +++ /dev/null @@ -1,102 +0,0 @@ ---- -title: Account Linking -description: "Account linking in Auth0 allows a user to connect multiple identity provider accounts, such as Google, GitHub, or a corporate SAML connection, under a single, unified user profile. By default, Auth0 treats each login from a different provider as a separate user. Account linking merges these distinct identities, enabling a user to authenticate from any of their linked accounts and be recognized as the same person by your application." ---- - -## Why is account linking important for AI agents? - -For AI agents that need to act on a user's behalf, account linking is critical. An agent might need to access a user's calendar via their Google account and their code repositories through their GitHub account. Without account linking, the agent would see these as two separate users. - -By linking these accounts, your AI agents have a holistic view of the user. This unified profile is essential for Token Vault to retrieve the correct tokens for the various external services the agent needs to call. When an agent requests to access a third-party API, account linking ensures that Auth0 can associate that request with the current user and their authorized connections. - -### How it works - -The account linking process merges two user profiles into a primary and a secondary account. The user_id and core profile properties of the primary account are retained, and the secondary account's identity is added to the primary profile's identities array. Multiple secondary accounts can be added to a primary account by linking. - -There are two primary methods for implementing account linking: - -- [**User-initiated account linking (client-side)**](https://auth0.com/docs/manage-users/user-accounts/user-account-linking/user-initiated-account-linking-client-side-implementation)**:** In this scenario, the user explicitly chooses to link their accounts through a settings page or a similar interface within your application. This is a common pattern and is the recommended approach for many AI agent use cases. -- [**Suggested account linking (server-side)**](https://auth0.com/docs/manage-users/user-accounts/user-account-linking/suggested-account-linking-server-side-implementation)**:** This approach identifies users with the same verified email address across different connections and prompts them to link their accounts. This is typically handled in a regular web application where server-side code can query the Auth0 Management API to find potential accounts to link. This can also be done using the [Account Link Extension](https://auth0.com/docs/customize/extensions/account-link-extension). - -### Client-initiated account linking for AI agents - -**Client-initiated account linking** is a new option that provides a seamless way for users to grant AI agents access to different services. When an AI agent needs to access a new service (e.g., Google Calendar) for which it doesn't have a token, the application can trigger the account linking flow. - - - ![Client-initiated account linking - flow](/img/client_initiated_account_linking.png) - - -The key steps are: - - - - The client application initiates the flow when an agent needs access to a - new external provider. - - - The user is prompted to log in with the new account they wish to link. - - - Auth0 handles the authentication with the new provider and, upon successful - login, links the new identity to the user's primary profile. - - - With the accounts now linked, your application can use Token Vault to - retrieve an access token for the newly connected service to use for API - calls. - - - -This process ensures that the user maintains control and explicitly grants permission for each new service the agent needs to access, enhancing security and trust. - -For a detailed guide on implementing this flow, please refer to the [Client-Initiated Account Linking Guide](/guides/client-initiated-account-linking). - -## Get started - -To begin using Auth0 Token Vault with your AI agents, refer to the following resources: - -### Quickstarts - - - - - -### Guides - - - - - -### Learn more - - - - - - diff --git a/auth4genai/intro/asynchronous-authorization.mdx b/auth4genai/intro/asynchronous-authorization.mdx index f0e5d1ac1..f090defd4 100644 --- a/auth4genai/intro/asynchronous-authorization.mdx +++ b/auth4genai/intro/asynchronous-authorization.mdx @@ -66,6 +66,28 @@ The flow generally proceeds as follows: +## User consent and notification channel selection + +When Auth0 receives a backchannel request, it must decide which notification channel to use when requesting user approval. These are the currently available options (in order of preference): + +1. **Auth0 Guardian mobile push notification**: Sends a mobile push notification to the user's enrolled mobile device. Authentication and authorization happen in the device that received the notification. +2. **Email**: Sends an email to the user's verified address. The email contains a link and, when clicked, authentication & authorization happen in the browser. + +By default, Auth0 uses and recommends Guardian push notifications for CIBA flows. Guardian push notifications are more secure than other channels, such as email, which can be vulnerable to phishing attacks. You have to explicitly enable email notifications for CIBA flows. + + +**Email:** Email notifications for asynchronous authorization is a paid add-on feature, and is now available for all Essentials, Professional, and Enterprise plans. Please see our [pricing](https://auth0.com/pricing) page for more details. + + +The notification channel Auth0 uses may also be influenced by the following factors: +- The **Auth0 client's notification channel**: within the Auth0 application details screen, you can enable or disable notification channels for asynchronous authorization requests. These will configure the client's `async_approval_notification_channels` array setting. Currently available options are `guardian-push` and `email`. +- **Requested expiry**: when the agent's backend specifies a *requested expiry* greater than five minutes, MFA Push notification becomes a non-eligible option. +- **MFA configuration at the tenant level**: To enable the MFA push notification channel for a client application, you must configure MFA push notifications for the tenant. To learn more about configuring your tenant to use Auth0 Guardian with push notifications, read [Enroll in push notifications](https://auth0.com/docs/secure/multi-factor-authentication/auth0-guardian#enroll-in-push-notifications). ***Note***: Only the Auth0 Guardian push factor is supported at this time. +- **User's enrolled authenticators**: if the user is not enrolled to use an MFA push authenticator, Auth0 falls back to email, if configured, instead of rejecting the CIBA request. +- **User's email verification status**: if the user's email is not verified, Auth0 rejects the CIBA request. + +You can read more about the notification channel selection in the [Configure Client-Initiated Backchannel Authentication](https://auth0.com/docs/get-started/applications/configure-client-initiated-backchannel-authentication) documentation. + ## Get started To begin using Asynchronous Authorization in your AI agents, refer to the following resources: diff --git a/auth4genai/intro/integrations.mdx b/auth4genai/intro/integrations.mdx index f2b58e9e0..ce8a93ca6 100644 --- a/auth4genai/intro/integrations.mdx +++ b/auth4genai/intro/integrations.mdx @@ -60,11 +60,15 @@ To enable your AI agents to call APIs on a user’s behalf, you will need to: When configuring the Connection, you need to specify the default scopes (permissions) your application requires to access the user's data from the - third-party API. + third-party API.

      Make sure to select the following scopes in the Auth0 Dashboard: +
        +
      • **User Profile**: Requests basic profile information. Exact name depends on the connection.
        • +
      • **Offline Access**: Requests an Auth0 refresh token. Exact name depends on the connection.
        • +
      - - Scroll down to the end of the page to the **Advanced** section and toggle - **Enable Token Vault** and save the Connection. + + In the **Purpose** section, toggle on + **Use for Connected Accounts for Token Vault** and save the Connection. To learn more, read [Connected Accounts for Token Vault](https://auth0.com/docs/secure/tokens/token-vault/connected-accounts-for-token-vault). Ensure that the newly configured Connection is enabled for the Auth0 diff --git a/auth4genai/intro/token-vault.mdx b/auth4genai/intro/token-vault.mdx index 18be10f0c..93b91092b 100644 --- a/auth4genai/intro/token-vault.mdx +++ b/auth4genai/intro/token-vault.mdx @@ -1,6 +1,6 @@ --- title: Calling APIs with Token Vault -description: AI agents can use Token Vault to access data and perform actions in third-party systems to fulfill user requests. +description: AI agents can use Token Vault to connect accounts and access external APIs to fulfill user requests. sidebarTitle: Token Vault --- @@ -10,7 +10,9 @@ For example, a sales assistant AI agent might need to: - Access a user's documents to summarize them. - Connect to a CRM like Salesforce to retrieve customer information. -You can securely access external APIs on the user's behalf using Auth0's **Token Vault**. Users are prompted to provide consent for your AI Agent to access their other applications, and that access is stored and managed by Auth0. For example, they can provide consent for your AI agent to access their Google Calendar to view their schedule or set up meetings, or their Salesforce account to retrieve customer information. +You can securely access external APIs on the user's behalf using Auth0's **Token Vault**. Once an AI agent has authenticated a user with a supported external provider, the user is prompted to authorize the connection and connect their external account. With the user's consent, the AI agent can initiate a [Connect Account flow](https://auth0.com/docs/secure/tokens/token-vault/connected-accounts-for-token-vault#how-it-works), linking the user profile to external services like Google, GitHub, Slack, and more. + +Once the external account has been successfully connected, the AI agent can fetch the stored credentials in Token Vault to access external APIs on the user's behalf. For example, the user can provide consent for your AI agent to access their Google Calendar to view their schedule or set up meetings, or their Salesforce account to retrieve customer information.