Adrian_Santamaria | 2024-01-29 17:44:09 UTC | #1
Hello!
I'm trying to create a Desktop app that uses Implicit Grant. The approach is basically opening the login page in the browser while starting to listen at the callback address at localhost.
I've been able to make it work. However, I have to set a static port both in the app and in the OAuth Client Authorized redirect URIs.
Is there any way to configure the Authorized redirect URI to allow any port? Like: http://localhost:*/gc-auth-callback
So the port where localhost would be listening would be determined at runtime (any free one).
Eos_Rios | 2024-01-29 19:04:34 UTC | #3
While supported by the RFC " The authorization server MUST allow any port to be specified at the time of the request for loopback IP redirect URIs, to accommodate clients that obtain an available ephemeral port from the operating system at the time of the request. " Tim has previously stated the URLs must be absolutely exact, so I am doubtful but you could test.
tim.smith | 2024-01-29 19:37:36 UTC | #4
Eos_Rios, post:3, topic:24355
Tim has previously stated the URLs must be absolutely exact,
Confirmed. :slight_smile:
While the RFC does call for this, Genesys Cloud does not allow it. I believe this is an intentional deviation from the spec, but I've asked the auth team for confirmation. I'll post back here if I get an answer that's anything other than it's working as intended.
Adrian_Santamaria | 2024-01-30 08:55:33 UTC | #5
Thank you @Eos_Rios and @tim.smith !
I understand that allowing any port could be a potential security risk, but I think it could be reasonable to have an exception just for loopback addresses.
tim.smith | 2024-01-30 14:41:35 UTC | #6
You can request this as a feature and share your use case at https://genesyscloud.ideas.aha.io/
Adrian_Santamaria | 2024-01-30 15:24:17 UTC | #7
Hi @tim.smith I understand then that the auth team confirmed that the deviation from RFC is intentional, right?
tim.smith | 2024-01-31 18:13:25 UTC | #8
quote="Eos_Rios, post:3, topic:24355"] While [supported by the RFC [/quote]
After some discussion, this isn't the correct RFC. 8252 is specific to "native" apps, which the RFC describes as:
An app or application that is installed by the user to their device, as distinct from a web app that runs in the browser context only. Apps implemented using web-based technology but distributed as a native app, so-called "hybrid apps", are considered equivalent to native apps for the purpose of this specification.
While there's an argument to be made that Genesys Cloud should implement that RFC to provide alternate behavior for such native apps, it does not support this RFC currently. This would be a new feature request.
Genesys Cloud OAuth is implemented based on the core OAuth 2.0 RFC, 6749. Section 3.1.2.3 describes how the comparison is to be done, which ultimately leads to RFC 3986 section 6.2.1, which is a simple string comparison to check that two strings are equivalent/identical. This is the method that is used to check redirect URIs.
Eos_Rios | 2024-01-31 18:43:08 UTC | #9
He's trying to use the SDK to build a native app, so easy misunderstanding as to which proposal level was implemented/supported.
I am guessing that means updating to the newer RFC specification wasn't already on the list for this year's tooling refresh though? :laughing:
tim.smith | 2024-01-31 19:11:04 UTC | #10
Eos_Rios, post:9, topic:24355
I am guessing that means updating to the newer RFC specification wasn't already on the list for this year's tooling refresh though?
It's not possible to add features to the SDK that the product doesn't support. Changing how the auth service works has to start with a product feature request.
Adrian_Santamaria | 2024-02-01 16:25:11 UTC | #11
Thank you both :smiley:
I've created this idea to ask for this. I hope it does not get lost in the abandoned ideas ocean :rofl: .
David_Groves | 2024-02-05 14:43:59 UTC | #12
Try using this: (https://github.com/MyPureCloud/oauth-webview-dotnet)
This uses the edge browser embedded inside a .NET Desktop App to enable login using web implicit grant and get a token. Once you have the token, you can basically do anything that is permitted to the logged-in user and the scope of the oauth client-id.
In particular, because Genesys OAUTH redirects you back to the requested redirect-uri, the browser can detect this and take the token. No need to listen on localhost - which won't work if you're behind a NAT firewall anyway (which is likely in an enterprise environment).
system | 2024-03-06 14:44:35 UTC | #13
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.
This post was migrated from the old Developer Forum.
ref: 24355