Genesys Cloud - Developer Community!

Hello everyone,

due to a client project involving the security configuration of Google Cloud Run, we are experiencing authentication issues (401) when connecting from Genesys to Google Cloud Run.

Through a support ticket opened to Google, we have determined that the issue lies with the `target_audience` parameter that the standard Genesys Google Data Actions integration includes in the generated token.

Is there any way to modify the target_audience and insert a custom URL instead of the URL included in the Genesys Data Action?

Thank you for your support or suggestions.

Giuseppe.

For the completeness of the answer, I am including the response from the Google support ticket below:

*** Google Ticket Response

They also mentioned that the calls from Genesys through the proxy (WAF/ILB) consistently fail with `ResponseCode: 401` and the specific error `AUTH_FAILED_TOKEN_VERIFICATION`. This error strongly points to a mismatch in the OIDC token's audience (`aud`) claim when Genesys constructs the token for the proxied URL.

Since the Custom Audiences list seems correct and direct calls are working, the issue is highly localized to how Genesys generates the OIDC token when calling the external proxy URL.

Based on their latest update, you are required to investigate the process by which the OIDC token is generated within your Genesys configuration. Specifically, you need to confirm that the audience parameter used to request the token from Google matches the exact external URL being called [2]

If the configuration process for the audience claim in Genesys is not clear, we recommend consulting Genesys support or their documentation for integrations requiring Google OIDC authentication. Capturing the `Authorization: Bearer <TOKEN>` header from a failed proxied request remains the most definitive way to diagnose the exact `aud` claim Genesys is sending. If possible, please capture this token so we can decode it and compare it against the configured Custom Audiences.

***

Thanks.

This kind of problem is beyond the scope of these forums, please open a support ticket for this.

Hello Giuseppe,

I am not sure what alternate target_audience you might need. Our understanding of the Google documents and our own tests show that we must set the target_audience must be the function endpoint being executed. In the following test example, https://region-project.cloudfunctions.net/function-name, is the URL of the Google Function. 

{
  "iat" : 1774620914,
  "iss" : "our-test-id-value@developer.gserviceaccount.com",
  "exp" : 1774621034,
  "aud" : "https://oauth2.googleapis.com/token",
  "scope" : "",
  "sub" : "our-test-id-value@developer.gserviceaccount.com",
  "target_audience" : "https://region-project.cloudfunctions.net/function-name"
}

If you can point us to documentation that indicates we are not using the API correctly please open a support ticket so we can open this as defect in development.

It is also likely that your use case might be outside the scope of our intended use for Google Function support, which would require either a feature change, or you will have to implement your own web function endpoint to make these goole cause, and use that as a proxy using a standard Web Data Action.