Genesys Cloud - Developer Community!

Hi,

We have written a .NET fat client application (with UI) which access the Genesys Cloud using the Implicit Grant OAuth method.

As this "Implicit Grant" is deprecated, we want to convert the app to use the PKCE OAuth flow. The documentation in the .NET SDK, however, is not really clear to me - is there a working example code for .NET which shows us how to use the PKCE OAuth method?

Thanks in advance,

Wolfgang Liebich

#PlatformSDK

------------------------------
Wolfgang Liebich
------------------------------

------------------------------
Jerome Saint-Marc
Senior Development Support Engineer
------------------------------

Original Message:
Sent: 02-02-2026 08:32
From: Wolfgang Liebich
Subject: How can we convert a C# Fat Client's Login method from Implicit Grant to PKCE?

Hi,

We have written a .NET fat client application (with UI) which access the Genesys Cloud using the Implicit Grant OAuth method.

As this "Implicit Grant" is deprecated, we want to convert the app to use the PKCE OAuth flow. The documentation in the .NET SDK, however, is not really clear to me - is there a working example code for .NET which shows us how to use the PKCE OAuth method?

Thanks in advance,

Wolfgang Liebich

#PlatformSDK

------------------------------
Wolfgang Liebich
------------------------------

Hello,

thank you, this helps me to get started with the problem.

Yes - it clarified things, thank you for your lucid explanation.

Regards,

Wolfgang Liebich

------------------------------
Wolfgang Liebich
------------------------------

Original Message:
Sent: 02-02-2026 11:41
From: Jerome Saint-Marc
Subject: How can we convert a C# Fat Client's Login method from Implicit Grant to PKCE?

Hello,

With PKCE, the OAuth flow will be a two-step process.

There are some "helpers" methods available in the Platform API SDK for .Net - See the PKCE Grant section in README

I assume that currently, with Implicit Grant, you are opening the following url: "https://login.{Environment}/oauth/authorize?client_id={ClientId}&redirect_uri={RedirectUri}&response_type=token" (where Environment=mypurecloud.com or mypurecloud.ie or ...).

You may also be adding some of the optional OAuth parameters:

• "&org={Org}&provider={Provider}"
• "&state={State}"
• "&prompt=login"

When you get the redirect, you are checking if "error" appears as hash parameter or as query parameter (which means the OAuth was unsuccesful), or if "access_token" appears as hash parameter (that you can then retrieve and use for your next Platform API requests).

With PKCE, as written above, it is a two-step process - similar to the OAuth Authorization Code flow.

You will first need to generate a Code Verifier and compute its Code Challenge.

There are some helpers in the SDK:

codeVerifier = Configuration.Default.ApiClient.GeneratePKCECodeVerifier(128);

codeChallenge = Configuration.Default.ApiClient.ComputePKCECodeChallenge(codeVerifier);

Then open the /oauth/authorize url (like for Implicit Grant), but with the following parameters (passing the code challenge value): "https://login.{Environment}/oauth/authorize?client_id={ClientId}&redirect_uri={RedirectUri}&response_type=code&code_challenge={HttpUtility.UrlEncode(codeChallenge)}&code_challenge_method=S256"

You may also be adding some of the optional OAuth parameters:

• "&org={Org}&provider={Provider}"
• "&state={State}"
• "&prompt=login"

When you get the redirect, you can if "error" appears as hash parameter or as query parameter (which means the OAuth was unsuccessful), or if "code" appears as query parameter.

Once you have retrieved the code, you can then request the access token (/oauth/token endpoint). You need the retrieved code, the code verifier and the clientId (no need for client secret). You can use the existing PostTokenPKCE method from the SDK:

var accessTokenInfo = Configuration.Default.ApiClient.PostTokenPKCE(clientId, redirectUri, codeVerifier, authCode);

Console.WriteLine("Access token=" + accessTokenInfo.AccessToken);

Hope this clarifies.

Regards,

------------------------------
Jerome Saint-Marc
Senior Development Support Engineer

Original Message:
Sent: 02-02-2026 08:32
From: Wolfgang Liebich
Subject: How can we convert a C# Fat Client's Login method from Implicit Grant to PKCE?

Hi,

We have written a .NET fat client application (with UI) which access the Genesys Cloud using the Implicit Grant OAuth method.

As this "Implicit Grant" is deprecated, we want to convert the app to use the PKCE OAuth flow. The documentation in the .NET SDK, however, is not really clear to me - is there a working example code for .NET which shows us how to use the PKCE OAuth method?

Thanks in advance,

Wolfgang Liebich

#PlatformSDK

------------------------------
Wolfgang Liebich
------------------------------

Hello,

For your information, I have updated the sample code in the "Genesys Cloud - .NET OAuth WebView2 Control" repository - https://github.com/MyPureCloud/oauth-webview-dotnet

Only the sample code is updated. There is no new version for the nuget package at this time (i.e. library managed by nuget package manager). Developers can simply import the code in their project (or build the library project locally) and use it in their code.

The updated GenesysCloudOAuthWebView can initiate an OAuth Implicit Grant Flow or an OAuth PKCE Grant Flow.

The choice of OAuth flow is controlled using the OAuthConfig's IsPKCEGrant property (default: true). PKCE Grant is defined as the default OAuth flow.

Deprecation/Replacement in V2: the v1 BeginImplicitGrant() method is replaced with BeginOAuthGrant() method in v2.

The OAuth WebView sample project generates the libraries for different framework versions: .Net Core 3.1, .Net Framework 4.7.2, .Net 8.0 (Windows), .Net 10.0 (Windows).

Information on v2 can be found in the README file: https://github.com/MyPureCloud/oauth-webview-dotnet/blob/main/README.md

Regards,

------------------------------
Jerome Saint-Marc
Senior Development Support Engineer
------------------------------

Original Message:
Sent: 02-03-2026 07:51
From: Wolfgang Liebich
Subject: How can we convert a C# Fat Client's Login method from Implicit Grant to PKCE?

Hello,

thank you, this helps me to get started with the problem.

Yes - it clarified things, thank you for your lucid explanation.

Regards,

Wolfgang Liebich

------------------------------
Wolfgang Liebich

Original Message:
Sent: 02-02-2026 11:41
From: Jerome Saint-Marc
Subject: How can we convert a C# Fat Client's Login method from Implicit Grant to PKCE?

Hello,

With PKCE, the OAuth flow will be a two-step process.

There are some "helpers" methods available in the Platform API SDK for .Net - See the PKCE Grant section in README

I assume that currently, with Implicit Grant, you are opening the following url: "https://login.{Environment}/oauth/authorize?client_id={ClientId}&redirect_uri={RedirectUri}&response_type=token" (where Environment=mypurecloud.com or mypurecloud.ie or ...).

You may also be adding some of the optional OAuth parameters:

• "&org={Org}&provider={Provider}"
• "&state={State}"
• "&prompt=login"

When you get the redirect, you are checking if "error" appears as hash parameter or as query parameter (which means the OAuth was unsuccesful), or if "access_token" appears as hash parameter (that you can then retrieve and use for your next Platform API requests).

With PKCE, as written above, it is a two-step process - similar to the OAuth Authorization Code flow.

You will first need to generate a Code Verifier and compute its Code Challenge.

There are some helpers in the SDK:

codeVerifier = Configuration.Default.ApiClient.GeneratePKCECodeVerifier(128);

codeChallenge = Configuration.Default.ApiClient.ComputePKCECodeChallenge(codeVerifier);

Then open the /oauth/authorize url (like for Implicit Grant), but with the following parameters (passing the code challenge value): "https://login.{Environment}/oauth/authorize?client_id={ClientId}&redirect_uri={RedirectUri}&response_type=code&code_challenge={HttpUtility.UrlEncode(codeChallenge)}&code_challenge_method=S256"

You may also be adding some of the optional OAuth parameters:

• "&org={Org}&provider={Provider}"
• "&state={State}"
• "&prompt=login"

When you get the redirect, you can if "error" appears as hash parameter or as query parameter (which means the OAuth was unsuccessful), or if "code" appears as query parameter.

Once you have retrieved the code, you can then request the access token (/oauth/token endpoint). You need the retrieved code, the code verifier and the clientId (no need for client secret). You can use the existing PostTokenPKCE method from the SDK:

var accessTokenInfo = Configuration.Default.ApiClient.PostTokenPKCE(clientId, redirectUri, codeVerifier, authCode);

Console.WriteLine("Access token=" + accessTokenInfo.AccessToken);

Hope this clarifies.

Regards,

------------------------------
Jerome Saint-Marc
Senior Development Support Engineer

Original Message:
Sent: 02-02-2026 08:32
From: Wolfgang Liebich
Subject: How can we convert a C# Fat Client's Login method from Implicit Grant to PKCE?

Hi,

We have written a .NET fat client application (with UI) which access the Genesys Cloud using the Implicit Grant OAuth method.

As this "Implicit Grant" is deprecated, we want to convert the app to use the PKCE OAuth flow. The documentation in the .NET SDK, however, is not really clear to me - is there a working example code for .NET which shows us how to use the PKCE OAuth method?

Thanks in advance,

Wolfgang Liebich

#PlatformSDK

------------------------------
Wolfgang Liebich
------------------------------