User Authentication

Brand's Digital Resources (Native Mobile App, Website)

It is the brand's responsibility to authenticate the user within the brand's digital resources. Once authentication is completed, "token exchange" should take place using the LivePerson SDK. The received token should indicate which user authenticated.

LivePerson supports OIDC ID Tokens. The ID Token is a security token that contains claims about the authentication of an end-user by an authorization server when using a client, and potentially other requested claims. The ID Token is represented as a JSON Web Token (JWT).

LivePerson supports the following methods for passing the Oauth tokens: implicit, code flow, and PKCE.

LivePerson SDK (iOS, Android) This is a LivePerson layer embedded into the customer app (mobile/web). It mediates between the app and the LivePerson Service and provides the interaction conversation UI. This layer calls the mobile app to supply an OAuth 2.0 code whenever the LivePerson Service needs it.

Token Exchange

Token exchange using LivePerson's SDK for native mobile application To authenticate a user (brand's consumer), the SDK requires an OAuth 2.0 code or JWT (depending on the specific flow) supplied by the mobile app.

Token exchange using JavaScript for web application The customer web app is based on an embedded LivePerson's Web-SDK. The web app can display the embedded window originated by the LivePerson SDK, or open a Conversational Cloud popup window to interact with the consumer. When the Conversational Cloud embedded window is set to pop-out mode, the authentication must take place using a page redirect mechanism.

Retrieving token using 'Token Endpoint' In case using token endpoint which accepts a valid OAuth 2.0 code along with the clientID and secret information, response should include a valid id_token (in case of delegation flow, it will include the access_token and refresh_token)_. The id_token should contain user unique identifier and additional claims, encoded and signed as a JWT. The clientID and secret information are encoded in the Authorization header as per https://developers.liveperson.com/consumer-authentication-implementation-guide.html#openid-connect-provider-op-development-details.

Example of token request (made by LivePerson to your authorization server):

POST /oauth2/v3/token HTTP/1.1
Host: www.customer.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded

code=3shshs92jsls/snxbxismNSsgHSVb&
redirect_uri=https://liveperson.net/oauth2/code_redirect&
grant_type=authorization_code

Example of token response (your authorization server response to LivePerson):

HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache

{
   "access_token": "g87t53ea00999321e0c7c1dd8197881a17d67e27ae596320
     c352297ee3154861",  # Used in delegation flow
   "token_type": "Bearer",
  "refresh_token": "g6e258a5deeb573192ebab4f8d65e3e81eddcb551a15ee6e
     6b50ac5b6e3a8ea781416c1e366a1ac3486523b0b0c82e1f3e93003031f66ef
     a7af00d681fe4f6943793c376a81b10d73980e59d874ef629bafe3d2de3558d
     5e847ea0ab588b5e8644eb0941d92908764bc82cdab7a04a61579009eadde40
     f23beae7f68dfd03b769f3f4ac9daa047183a562160551a09c2d4f2ae0bf7e2
     a82a0a241e071dcdd8af20791b3db1c58c76149274a4814a463de920fefec6e
     84ad3bcf1d99f8c348cd26516b7f54edaf41a3035f82d31c122e0becd083575
     57287beb4ae2e13516e969fced89443425a59d7878f44e74928e19a8651a31a
     8ae18e6b9eb44f4fdf8fcf264b2127b3e1c096720d8915464d6cf5",  # Used in delegation flow
   "expires_in": 3600,
   "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ.ewogImlzc
     yI6ICJodHRwOi8vc2VydmVyLmV4YW1wbGUuY29tIiwKICJzdWIiOiAiMjQ4Mjg5
     NzYxMDAxIiwKICJhdWQiOiAiczZCaGRSa3F0MyIsCiAibm9uY2UiOiAibi0wUzZ
     fV3pBMk1qIiwKICJleHAiOiAxMzExMjgxOTcwLAogImlhdCI6IDEzMTEyODA5Nz
     AKfQ.ggW8hZ1EuVLuxNuuIJKX_V8a_OMXzR0EHR9R6jgdqrOOF4daGU96Sr_P6q
     Jp6IcmD3HP99Obi1PRs-cwh3LO-p146waJ8IhehcwL7F09JdijmBqkvPeB2T9CJ
     NqeGpe-gccMg4vfKjkM8FcGvnzZUN4_KSP0aAp1tOJ1zZwgjxqGByKHiOtX7Tpd
     QyHE5lcMiKPXfEIQILVq0pc_E2DzL7emopWoaoZTF_m0_N0YzFC6g6EJbOEoRoS
     K5hoDalrcvRYLSrQAZZKflyuVCyixEoV9GfNQC3_osjzw2PAithfubEEBLuVVk4
     XUVrWOLrLl0nx7RkKU8NXNHq-rvKMzqg"
}

The id_token in the response is standard JWT and can be translated to the unpacked form. Here is an example of the unpacked id_token:

{
   "iss": "www.customer.com",     # issuer
   "sub": "fdskjfd-user-id-3773hshshs",   # user id
   "exp": "1353801026",           # expiration timestamp
   "iat": "1353601026",             # token issuing  timestamp
   "email": "user@gmail.com",
   "picture": "http://www.customer.com/pics/fdskjfd-user-id-3773hshshs"
}