Genesys Cloud - Main

We have integrated messenger to work with AWS cognito. Validity of access token was set to 5 minutes and refresh token was set to 60 minutes. We initiated a login and initiated an interaction on messenger. We could see all token in local storage. We were expecting it get a new access token after 5 minutes but could not see any activity in network logs. It did let us continue the interaction even after the expiry of the access token. But when the browser session got refreshed after 5 minutes, it stopped working. The same was working when we refreshed when the access token was still valid. Can someone explain if this is normal or is there an issue in not using the refresh token when access token is expired and as well as when browser is refreshed with a valid refresh token.

#DigitalChannels

------------------------------
Rizwan Khan
Tata Consultancy Services Ltd
------------------------------

Hi,

Thank your for reaching out.

Could clarify on which tokens you are referring to ?
Cognito tokens or Genesys tokens ?

First, let me try to clarify few things.
Access token is a "key" that gives you access to protected APIs for a period of time.
Access token is being used to perform login or logout.
Once login or logout is performed, you don't need to have a valid access token all the time until an operation that requires it is required.
So the fact that there is no automatic refresh of access token is not an issue in itself.

Can you check that you are requesting 'offline access' as part of the scope ?
The following rules apply for generating a JWT / Refresh token from Genesys auth service:

• For the Genesys JWT, lifetime has the value of Access token from the authorization server (Cognito) but cannot exceed 15 minutes.

• Genesys Refresh token may or may not be generated.
  If requested through the offline_scope, Refresh token lifetime is set to 24 hours.
  If not requested, a Refresh token can still be provided given the Access token is higher than 15 minutes.
  In such case, Refresh token lifetime is same as the Access token one.
  If Access token is less than 15 minutes, no Refresh token is provided.

So given that you're saying the JWT lifetime is 5 min, I would expect no refresh token to be provided if the offline scope is not set.

Now refreshing the browser with an expired access token but a valid refresh token could be an issue indeed.
I would advise to open a ticket with Care so that you can share logs and info on your environment and we can investigate further.

Hope this helps,

Best regards.
V.P.

------------------------------
Vincent Pirat
Genesys - Employees
------------------------------

Original Message:
Sent: 12-21-2023 14:05
From: Rizwan Khan
Subject: Authenticated Messenger does not call for a new token with refresh token when current access token is expired

We have integrated messenger to work with AWS cognito. Validity of access token was set to 5 minutes and refresh token was set to 60 minutes. We initiated a login and initiated an interaction on messenger. We could see all token in local storage. We were expecting it get a new access token after 5 minutes but could not see any activity in network logs. It did let us continue the interaction even after the expiry of the access token. But when the browser session got refreshed after 5 minutes, it stopped working. The same was working when we refreshed when the access token was still valid. Can someone explain if this is normal or is there an issue in not using the refresh token when access token is expired and as well as when browser is refreshed with a valid refresh token.

#DigitalChannels

------------------------------
Rizwan Khan
Tata Consultancy Services Ltd
------------------------------