Authentication and Authorization
On-Call Optimizer exclusively uses OAuth and OIDC for authorization and authentication, there is no support for accessing On-Call Optimizer via username/password.
On-Call Optimizer adheres to the principle of least privilege, requesting only the minimum OAuth permissions and scopes required to complete the action requested following the principle of incremental authorization. This allows users to mix and match between different providers without needing to grant an overly wide set of permissions to On-Call Optimizer.
Permissions requested at Login
On-Call Optimizer requests an OIDC login flow from the authentication provider requesting the OIDC standard email and profile grants. On-Call Optimizer stores the email and name returned in the provided ID token.
When logging in with a Google Workspace, or Microsoft organizational account, On-Call Optimizer will also retrieve and store the ID, name and primary domain
of the workspace/organization of your account in order to create and associate your On-Call Optimizer account with a corresponding On-Call Optimizer Organization.
For Microsoft accounts the User.Read permission is requested in order to retrieve this information as it is not included directly in the ID token.
All other information available to On-Call Optimizer during the login process is discarded. In particular, once the login process has completed, On-Call Optimizer does not retain or store the access or refresh tokens provided by the OIDC login flow.
Permissions requested when connecting a calendar
When connecting to a calendar provider, On-Call Optimizer uses a standard OAuth 2.0 authorization code flow to obtain a read-only access token, along with an offline access (refresh) token to allow continuing access to the users calendar.
Permissions requested when connecting an on-call product
On-Call Optimizer uses API tokens for access to any configured on-call product schedules. A read-only API token is supported when an on-call product is used a a source for On-Call Optimizer schedule configuration. A read-write API token is required when an on-call product is configured as a destination for a schedule.
Permissions requested when connecting to Slack
When the On-Call Optimizer Slack app is installed for a Slack Workspace, On-Call Optimizer receives an OAuth 2.0 access and refresh token which are used to access the Slack API. The following scopes are required for the On-Call Optimizer Slack app:
- app_mentions:read - to allow the app to receive app_mention notifications, in order to respond when the app is directly mentioned.
- channels:read, groups:read, im:read - to allow the app to receive member_joined_channel and member_left_channel events in order to keep track of the channels it has been invited to be present in, and to make conversations.info API requests to retrieve the name of those channels. On-Call Optimizer only receives these events and requests information for channels which it has been invited to join.
- chat:write - to allow the app to send messages to channels using the chat.postMessage and chat.postEphemeral API requests. On-Call Optimizer only sends messages in response to a command request or to deliver a configured notification.
- im:history - to allow the app to receive message.im notifications when a user directly interacts with the app from the messages tab of the App Home surface. On-Call Optimizer does not make any API requests using this scope.
- reactions:read, reactions:write - to allow the make reactions.* API requests in order to provide reactions indicating the status of On-Call Optimizer’s response to a command request issued by a user. On-Call Optimizer does not read or write reactions to any other messages.
Permissions Summary
| Action | Scopes Requested | Includes Offline Access | Note |
|---|---|---|---|
| Login | email, profile | Yes [0] | |
| Login | User.Read | Yes [0] | Microsoft accounts only |
| Connect to Calendar | read only [1] | Yes | |
| Connect to On-Call Product | API Key | Yes | |
| Slack App Install | app_mentions:read, channels:read, groups:read,im:read, chat:write, im:history, reactions:read, reactions:write | Yes |
[0]: The OIDC protocol includes the offline access scope by default, however On-Call Optimizer does not retain the provided refresh (or access) tokens, so no offline access is available to On-Call Optimizer, even though the permissions screen seen by the user indicates it may be.
[1]: Refer to the calendar provider for details on the specific scope name: Google, Outlook
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.