draeder | 2021-03-17 01:51:28 UTC | #1
I have a server that handles both back-end and front-end authentication with Genesys Cloud. The back-end uses the grant type "Client Authorization", and the front-end uses the grant-type "Code Authentication".
What is happening is anyone who successfully logs into the font-end is successfully getting an access token even though they are not in that organization. That seems to be very broken, but it could be my code if I'm misunderstanding something.
I would expect that access to the front-end would only be allowed if the logged in user is in the same org as the "Code Authentication" OAuth client. Am I missing something here? Is it designed that way intentionally? E.g. Do I need to check the OAuth client's org against the user's org who is trying to log in?
With all of that said, I think the documentation and naming conventions for OAuth client grant types is confusing. To me, the grant types seem to have their names flipped.
I would expect the "Code Authorization" grant type would mean backend server code authorization, whereas the "Client Authorization" grant type would mean front-end client authentication through the browser and subsequent redirects. But it looks to be the opposite.
Thanks, Dan
Jason_Mathison | 2021-03-17 02:15:52 UTC | #2
Hi Dan,
I have seen lots of people post in these forums due to confusion with how the various OAuth types work. Here is a previous response about using "code Authentication" that might help you: https://developer.mypurecloud.com/forum/t/oauth-authorization-code-for-different-orgs/2725/3
And here is a page that goes over the flow of a code authentication integration. https://developer.mypurecloud.com/api/rest/authorization/use-authorization-code.html
The names for the various OAuth authentication strategies were not made by us. I also don't find the naming system very helpful.
--Jason
draeder | 2021-03-17 03:30:11 UTC | #3
Thank you sir.. Can the names be addressed, whether or not they were created by Genesys? "Code Authorization" should be back-end server applications. "Client Authorization" should be front-end logins as a matter of framework.
Jerome.Saint-Marc | 2021-03-18 18:51:40 UTC | #4
Hello,
The Grant Type names listed in the OAuth client ("Client Credentials", "Code Authorization", "Token Implicit Grant") are not from Genesys. They refer to OAuth2 Authorization Grant types. OAuth 2.0 Client Credentials Grant: https://oauth.net/2/grant-types/client-credentials/ OAuth 2.0 Authorization Code Grant: https://oauth.net/2/grant-types/authorization-code/ OAuth 2.0 Implicit Grant: https://oauth.net/2/grant-types/implicit/
Regards,
draeder | 2021-03-18 19:03:43 UTC | #5
Okay, that makes more sense. Thanks for the clarification.
Dan
system | 2021-04-18 19:03:44 UTC | #6
This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.
This post was migrated from the old Developer Forum.
ref: 10307