User Authentication (OAuth2)

Since the end user typically interacts with the agent through a chat GUI, a tool is initially unaware of the end user's identity. If a tool needs to authenticate the end user's identity upon receiving a command from the agent, it can be done using OAuth2. For example, if you develop a tool command for sending emails via Google Mail (Gmail) and you want to send emails using the end user's Google identity, you would use the OAuth2 process for end user authentication and obtaining an access token with the necessary permissions to send emails on behalf of the end user. Fortunately, the HelperAI Tool Manifest allows for configuring OAuth2 authentication flows and specifying different authentication methods for each flow, such as using Google OAuth2 or Facebook OAuth2. When the agent calls a tool command, it automatically checks if all OAuth2 authentication flows specified in the Tool Manifest have been completed, and if not, HelperAI sends a conversation message with a dedicated authentication link to the end user, assisting in completing the identity verification and obtaining the necessary access token. These end user access tokens are centrally managed by the HelperAI platform and are passed to the Tool side as parameters when invoking the Tool Command Webhook.

The benefit of HelperAI managing the access tokens is that the tool side does not need to manage the lifecycle of the access tokens or implement token refresh mechanisms. When an access token is about to expire, HelperAI automatically updates it using the refresh token. After the token update is complete, the new access token is passed to the Tool side along with the tool command parameters.

For more information on configuring user authentication, please refer to the "authorize-end-user-via-oauth2.md" guide.