Overview

Authentication in MCP is a feature which allows you to restrict access to particular commands (reponses, case types) only for authenticated user. This authentication doesn't have any impact on PRPC authentication, MCP still uses copy of tamplate user as PRPC logged operator. Each channel could provide additional logic to this (for example account linking in facebook which switches PRPC operator to existing one), the same could be done on application layer.

MCP provides new "Authenticate" action and new system response, those are available in channels which supports authentication process.

There are two possibilities to trigger authentication process:

• invoke command which requires authentication (for unauthenticated user)
  
• invoke "Authenticate" action as user intent
  

On behaviour tab we can also configure authentication timeout which gives possibility to control how long the user could be treated as authenticated since last successful authentication.

System responses

There are 3 system responses for authentication purposes:

• Authenticate - fixed "Authenticate" action. It is called if the user is unauthenticated (pxIsAuthenticated returns false) and invoked command requires authentication.
• Authentication-fail - called if authentication fails (pyVerifyUser returns error)
• Authentication-success - called for correct authentication

How to enable authentication in my channel

1. Add Data-Channel-Configuration-<YOURCHANNEL>.pyIsAuthenticationSupported when rule to return "true" - turn on all "authentication" capabilities for your channel ("authenticate" action, system responses, authentication timeout, "authentication required" on responses)
   
2. Add Work-Channel-Interaction-<YOURCHANNE>.pyStartAuthenticationProcess activity and implement logic which triggers channel specific authentication - for example display login screen, send some different payload to application etc.
3. At the and of channel specific logic it is require to call Work-Channel-Interaction.pxAuthenticate with "externalUserId" parameter.
4. The developer of a channel is able to abandon authentication by calling Work-Channel-Interaction.pxUnuthenticate

That's all.

As part of pxAuthenticate it is possible to check whether user is authenticated using when rule Work-Channel-Interaction.pxIsAuthenticated.

As addition MCP provides few extension points to allow some customisation for channel's and app developers:

• Work-Channel-Interaction.pyVerifyUser - called at the beginning of pxAuthenticate, allows developer to check authenticated user against any conditions and set error if something is wrong, in that case user won't be authenticated correctly and authentication-fail system response will be triggered. (It is enough to set error status on activity)
• Work-Channel-Interaction.pyOnAuthenticationFail - called if user verification fails, just before authentication-fail system response
• Work-Channel-Interaction.pyOnAuthenticationSuccess - called if user is verified, just before authentication-success system response