Hello,
Do I understand correctly that you were directly calling the login url (in case of Implicit Grant) using fetch (at least on first trigger - before getting the redirect with access_token and then possibly calling loginImplicitGrant), and not making use of the loginImplicitGrant method both times (first and on redirect)?
If yes, I don't think that adding support for prompt:login as LoginPKCEGrantOptions (and in the loginPKCEGrant) would be enough.
If you call the loginImplicitGrant or loginPKCEGrant method from the "same" page/tab (I mean where you have loaded the Platform API JS library and performed a login flow once), even if you're not persisting settings (i.e. setPersistSettings to true), the library will attempt to check if there is a token (global variable), test it and use it if it is successful. So if your two orgs are in the same region (url not changing), the test of the token will be successful (on the first org - even if you are trying to point to a different clientId).
If I were to add prompt:login support in loginImplicitGrant, and if you were calling the loginImplicitGrant both times, instead of fetch (if I understood your login process correctly), you would have the same behavior (I mean 3rd scenario not prompting them for an org).
The Implicit Grant flow that you experience "works" because you are calling the login url via fetch() and therefore skipping the logic applied in the loginImplicitGrant method (that checks an existing token).
So I think adding prompt:login in LoginPKCEGrantOptions wouldn't really change this, because calling loginPKCEGrant method would do the same thing than loginImplicitGrant, i.e. checking if there is an existing token stored (either as global variable or also in local storage if setPersistSettings with same app name has been set in your other apps).
I can see to add the prompt:login in a future version of the SDK for Implicit Grant and PKCE Grant. But as written above, I don't think that will be enough.
To get similar behavior, I think you'd need to skip the "first" loginPKCEGrant method call. And as PKCE implies a two-step process with code challenge and code verifier, have some code to manage this. Just theoretical as I don't know how your app is built and what/where you would need to change these things.
I had made the generation of code verifier and computation of code challenge available as methods on the ApiClient class. The code verifier would need to be saved in session storage (as it is needed for the second part of the PKCE process - and to be extracted by the loginPKCEGrant method).
So for first call, possibly something like:
const apiClient = platformClient.ApiClient.instance;
let codeVerifier = apiClient.generatePKCECodeVerifier(128);
let codeChallenge = await apiClient.computePKCECodeChallenge(codeVerifier);
sessionStorage.setItem(`genesys_cloud_sdk_pkce_code_verifier`, codeVerifier);
// then fetch of the login url for PKCE
// with client_id (new clientId), redirect_uri, code_challenge (equal to codeChallenge vairable computed above), response_type: 'code', code_challenge_method: 'S256', prompt: 'login'
And then, being able to invoke the loginPKCEGrant method on the redirect (which contains the code query parameter).
If you can, try this and let me know how this goes.
As said, I can still add the prompt:login support in future versions of the SDK, but I don't think that'd be enough for your flow. The logic needed is probably closer to the code I have described above. Not having similar test environment and SSO (and not having your web app), it is a bit difficult to guarantee it will be enough.
Regards,
------------------------------
Jerome Saint-Marc
Senior Development Support Engineer
------------------------------
Original Message:
Sent: 12-11-2025 23:03
From: Nick Tait
Subject: Enhance loginPKCEGrant method to support "prompt:login" option (in LoginPKCEGrantOptions)
I have written a web application that I use with many Genesys Cloud orgs. It uses the JavaScript PSDK, and summarises license usage.
I recently updated the application to use loginPKCEGrant instead of loginImplicitGrant to authenticate the user (using SSO). This happens when the app is loaded in the browser, and the user is redirected to Microsoft for SSO, and one of the following occurs:
- If they haven't recently (in the same browsing session) authenticated to Genesys Cloud, they are prompted for their username and password and MFA, and then they are prompted for which Genesys Cloud org they want to use. And they are redirected back to the app where the PKCE stuff completes and they then have a valid token for the selected org.
- If they have recently (in the same browsing session) authenticated to Genesys Cloud using a different Genesys Cloud application, it skips asking for their credentials and they are simply asked for which Genesys Cloud org they want to use. And they are redirected back to the app where the PKCE stuff completes and they then have a valid token for the selected org.
- If they have recently (in the same browsing session) authenticated to Genesys Cloud using the same Genesys Cloud application, it skips asking for their credentials and the org, and redirects them back to the app where the PKCE stuff completes and they then have a valid token for the same org they originally selected.
Since I want to use this app with multiple orgs, I'm looking for a way to get the 3rd scenario above to prompt the user for the org.
When I was using Implicit Grant, I could do a fetch() to replicate the loginImplicitGrant redirection, and include "&prompt=login" in the the URL, and that would cause SSO to ask them for the org. Then when the user was redirected back to the app they had a valid token.
But this doesn't work with PKCE Grant due to the PKCE challenge stuff.
So what I'd like to request is that the LoginPKCEGrantOptions class is enhanced to support "prompt:login", and then include that in the URL parameters when the redirection occurs?
Thanks.
#PlatformSDK
------------------------------
Nick Tait
Genesys Consultant
------------------------------