Contribute in GitHub:
Edit online
copyright: years: 2018, 2023 lastupdated: "2023-01-07"
Enabling user name and password based token authentication for Watson services
Important: These instructions are for service instances that use Cloud Foundry based credentials.
To reduce the response time for connected Watson services, you can enable token authentication to obtain and cache tokens related to a particular set of credentials for each service. This reduces delays in conversation for the customer by reducing the frequency of LDAP lookups in Version 1.0.0.5a and later.
By enabling token authentication for basic authentication, a token is retrieved the first time a lookup occurs with a specific set of service credentials. After the first lookup, the token is cached using a key that includes the user name and password combination for basic authentication. Any subsequent requests to that service using the same set of credentials will use the token to authenticate instead of the username and password. If the service request fails because the token timed out, a new token will be retrieved and cached. As explained in Tokens for authentication, tokens from the service expire after one hour. The authentication tokens caches expire after 24 hours and are only refreshed when a request to a service is made.
Avoid trouble: If you change the credentials for one of the services in a Voice Gateway action, you must specify that token authentication is enabled in the new credentials. If you don't, the token authentication reverts back to the default basic authentication.
Configuring token authentication in a multi-tenant JSON configuration
You can enable token authentication in a JSON configuration file by configuring each of the services to use tokenAuthEnabled, tokenServiceProviderUrl, and tokenServiceUrl. The following JSON configuration
shows how to enable token authentication for a particular tenant.
Note: When token authentication is enabled and the tokenServiceUrl attribute in the conversation object is not defined, it automatically uses the url value for the Watson Assistant API.
{
"tenants": [{
"tenantURI": "2345556789",
"description": "Voice Gateway Demo US",
"whitelistFromUri": "8765554321",
"putCallerOnHoldOnTransfer": "false",
"conversation": {
"url": "https://api.us-south.assistant.watson.cloud.ibm.com/instances/{instance_id}",
"workspaceID": "a23de67h-e527-40d5-a867-5c0ce9e72d0d",
"password": "InWtiUpYhF1Z",
"username": "9h7f54cb-d9ed-46b3-8492-e9a9bf555021",
"tokenAuthEnabled": true
},
"stt": {
"credentials": {
"url": "https://api.us-south.speech-to-text.watson.cloud.ibm.com/instances/{instance_id}",
"username": "9h7f54cb-f28f-4a64-91e1-a0657e1dd3f4",
"password": "IAB5jfxls0Zt",
"tokenAuthEnabled": true
},
"config": {
"model": "en-US_NarrowbandModel",
"profanity_filter": true,
"smart_formatting": true
},
"confidenceScoreThreshold": 0.2,
"echoSuppression": true,
"bargeInResume": true
},
"tts": {
"cacheTimeToLive": 336,
"credentials": {
"url": "https://api.us-south.text-to-speech.watson.cloud.ibm.com/instances/{instance_id}",
"username": "9h7f54cb-8b0f-4766-8b15-eaa8f7c3fae7",
"password": "HcmzFp1kec1P",
"tokenAuthEnabled": true
},
"config": {
"voice": "en-US_MichaelVoice"
}
}
}]
}
Note: If token authentication fails for IBM® Text to Speech, add the tokenServiceUrl to the credentials.
{
"tts": {
"cacheTimeToLive": 336,
"credentials": {
"url": "https://api.us-south.text-to-speech.watson.cloud.ibm.com/instances/{instance_id}",
"username": "9h7f54cb-8b0f-4766-8b15-eaa8f7c3fae7",
"password": "HcmzFp1kec1P",
"tokenAuthEnabled": true,
"tokenServiceUrl": "https://iam.cloud.ibm.com/identity/token"
}
}
}
Configuring token authentication in a single tenant environment
You can enable token authentication in a single tenant environment by configuring the following environment variables for each container.
SIP Orchestrator:
environment:
- WATSON_CONVERSATION_TOKEN_AUTH_ENABLED=true
Media Relay
environment:
- WATSON_TTS_TOKEN_AUTH_ENABLED=true
- WATSON_STT_TOKEN_AUTH_ENABLED=true