Security

Implementing TLS

It's recommended that the URLs of the bot service use HTTPS. However, for testing environments, HTTP URLs can be used. In addition, VoiceAI Connect can be configured to accept self-signed certificates from the bot service.

Authentication with Bot

It's recommended that VoiceAI Connect implement an authentication scheme with the bot. This can be one of the following:

OAuth 2.0 authentication and authorization. For more information, see OAuth 2.0 Authentication.
VoiceAI Connect configured with a permanent token value that is sent in the 'Authorization: Bearer <token>' header for every HTTP request to the bot. This token is used by the bot service to authenticate VoiceAI Connect. For more information, see Token Authentication.

For environments that don’t require this authentication (e.g., when implementing an alternative authentication method), the token can be left without a value, and no 'Authorization' header will be sent.

OAuth 2.0 Authentication

The OAuth 2.0 authorization standard can be used to authenticate VoiceAI Connect with a bot’s service that implements AudioCodes Bot API.

Upon initial communication with the bot, VoiceAI Connect acting as a client, requests an access token from a third-party OAuth 2.0 server (determined by Customer). The authorization server identifies VoiceAI Connect by the shared secret key, client ID and optionally, scope (all provided to AudioCodes by the Customer). Therefore, VoiceAI Connect must be configured with these values (provided by the Customer), using the following parameters under the providers section:

oauthTokenUrl – URL of authentication server
oauthClientId – client_id provided by the API
oauthClientSecret – client_secret provided by the API
oauthScope - scope(s) provided by the API

For example:

{
  "name": "my_ac_api",
  "type": "ac-api",
  "botURL": "https://localhost:8083/CreateConversation",
  "ttsUrl": "https://localhost:8043/cognitiveservices/v1",
  "sttUrl": "wss://localhost:8043",
  "oauthTokenUrl": "https://awebrtcoauth.audiocodes.com/auth...",
  "oauthScope": [
    "somescope"
  ],
  "credentials": {
    "oauthClientId": "my_ac_api",
    "oauthClientSecret": "b16d2ec0-2b4e-4989-93c1-a59933fa2070"
  },
  "botAllowSelfSignedCert": true
}

Upon receipt of the access token from the authorization server, VoiceAI Connect includes this OAuth access token in each HTTP request (Authorization: Bearer header) that it sends to the AudioCodes Bot API that needs to be accessed at the provider.

The access token is used for all subsequent requests and calls by the specific bot, until the token expires. Prior to expiry (about 30 seconds before), VoiceAI Connect requests a new access token from the authorization server. If the token expires and no new access token is obtained from the server, existing calls are terminated and no new calls can be made until a new token is obtained.

Permanent Token Authentication

VoiceAI Connect can be configured (credentials > token parameter) with a permanent token value that is sent in the 'Authorization: Bearer <token>' header for every HTTP request. This token is used by the bot service to authenticate VoiceAI Connect.

To prevent malicious attackers from obtaining the token key and accessing resources, store the token key in a secure place.

If you have configured OAuth 2.0 authentication (as described in OAuth 2.0 Authentication) and a permanent token as described in this section, OAuth authentication takes precedence (i.e., permanent token method is ignored).