Hichem_Agrebi | 2021-03-16 18:45:24 UTC | #1
How can users login to an OAuth integration with the following info only: region, organization, username and password like done with the Genesys mobile apps? The objective is to be able to grant access to multiple organizations in different regions.
Is there a way around the OAuth integration with type authorization code? IN other words is there a way to login to a mobile app without an OAuth integration to a specific organization very much like Genesys mobile apps?
Thank you for any insights on how best to realize this
Dariusz | 2021-03-19 10:13:47 UTC | #2
Hi Hichem, You need to use a select or dropdown control to allow a user to pick the region and then redirect him to a proper GC login page in order to authenticate him. When the user is redirected to the login page he can change the org whithin the selected region.
Hichem_Agrebi | 2021-03-19 16:40:32 UTC | #3
Thanks Dariusz, that's not sufficient though. an OAuth integration with a clientId and client secret would be required, otherwise how can this be done ? I don't see any other way so far.
Dariusz | 2021-03-22 10:50:35 UTC | #4
Indeed, you will need to create an oAuth client but it will be type of 'implicit grant'. You can create only one Client ID and use it across all GC orgs. The client secret is not applicable in this scenario as users will use their own credntials for authorization. I've used similar approach many times for multi-region and multi-org applications and it works well.
Benjamin_Guenard | 2021-03-23 09:43:37 UTC | #5
Hi Dariusz,
It works fine however implicit grant is is not recommended for safety reasons, it is vulnerable to access token leakage. It is not suitable for some of our customers who do security tests to validate our applications. I will be surprised that Genesys uses this type of OAuth authentication in Tempo.
Genesys Tempo is using this OAuth implicit flow ?
Kind Regards,
Benjamin
Dariusz | 2021-03-24 07:57:26 UTC | #6
Hey Benjamin, Sorry, I don’t know technical details of Tempo. However from the UI point of view it doesn’t look like something else than oAuth flow. Maybe someone else can confirm?
xember | 2021-03-24 10:49:02 UTC | #7
Tempo is probably a webapp wrapped in a native container. So from security perspective you could store the client secret in the native app part... this app is signed and encrypted. If you did the authorization code flow from the native part you won’t run into the cors error simply because the native part isn’t performing the pre flight request. You can see the native part as a local server or as a fat client application.
Benjamin_Guenard | 2021-03-25 12:55:29 UTC | #8
Security issue is not related to client Id but token in implicit flow. The initial question is how to use auth code flow without created an OAuth integration for each customers. According to my analyzes Tempo uses a hard-coded clientId / Secret valid on all organizations.
system | 2021-04-25 12:55:32 UTC | #9
This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.
This post was migrated from the old Developer Forum.
ref: 10297