On-Call Optimizer exclusively uses OAuth and OIDC for authorization and authentication, there is no support for accessing On-Call Optimizer via username/password.
On-Call Optimizer adheres to the principle of least privilege, requesting only the minimum OAuth permissions and scopes required to complete the action requested following the principle of incremental authorization. This allows users to mix and match between different providers without needing to grant an overly wide set of permissions to On-Call Optimizer.
On-Call Optimizer requests an OIDC login flow from the authentication provider requesting the OIDC standard email
and profile
grants. On-Call Optimizer stores the email and name returned in the provided ID token.
When logging in with a Google Workspace, or Microsoft organizational account, On-Call Optimizer will also retrieve and store the ID, name and primary domain
of the workspace/organization of your account in order to create and associate your On-Call Optimizer account with a corresponding On-Call Optimizer Organization.
For Microsoft accounts the User.Read
permission is requested in order to retrieve this information as it is not included directly in the ID token.
All other information available to On-Call Optimizer during the login process is discarded. In particular, once the login process has completed, On-Call Optimizer does not retain or store the access or refresh tokens provided by the OIDC login flow.
When connecting to a calendar provider, On-Call Optimizer uses a standard OAuth 2.0 authorization code flow to obtain a read-only access token, along with an offline access (refresh) token to allow continuing access to the users calendar.
On-Call Optimizer uses API tokens for access to any configured on-call product schedules. A read-only API token is supported when an on-call product is used a a source for On-Call Optimizer schedule configuration. A read-write API token is required when an on-call product is configured as a destination for a schedule.
When the On-Call Optimizer Slack app is installed for a Slack Workspace, On-Call Optimizer receives an OAuth 2.0 access and refresh token which are used to access the Slack API. The following scopes are required for the On-Call Optimizer Slack app:
Action | Scopes Requested | Includes Offline Access | Note |
---|---|---|---|
Login | email , profile | Yes [0] | |
Login | User.Read | Yes [0] | Microsoft accounts only |
Connect to Calendar | read only [1] | Yes | |
Connect to On-Call Product | API Key | Yes | |
Slack App Install | app_mentions:read , channels:read , groups:read ,im:read , chat:write , im:history , reactions:read , reactions:write | Yes |
[0]: The OIDC protocol includes the offline access scope by default, however On-Call Optimizer does not retain the provided refresh (or access) tokens, so no offline access is available to On-Call Optimizer, even though the permissions screen seen by the user indicates it may be.
[1]: Refer to the calendar provider for details on the specific scope name: Google, Outlook
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.