Markuz | 2024-03-28 09:48:01 UTC | #1
Hi community, through the use of the Web Messaging Guest API, we have developed an application that interfaces with a Messenger Deployment configured in GC, with success. Our customer also asked us to implement an authenticated session, but we have problems getting the OpenID Connect protocol to work, as requested in the documentation (https://developer.genesys.cloud/commdigital/digital/webmessaging/websocketapi#configure-an-authenticated-session).We would like to implement OIDC on the Azure environment with the Azure B2C AD component, can anyone confirms that this is a useful component for this purpose? Thank you in advance.
vpirat | 2024-03-28 11:19:09 UTC | #2
Hi,
Yes, this is the way to go.
Integration with Azure has already been done in the past. You may want to check this post for general guidelines.
Hope this helps,
Best regards, V.P.
Markuz | 2024-04-04 13:28:51 UTC | #3
Hi vpirat,
thank you for the valuable information! We followed the directions in the post you linked, but we get an error in the final step of the Authorization process, when we try to get the JWT from the Genesys Cloud API.
We initially called the following URL from which we get the code:
https://inailcloud.b2clogin.com/inailcloud.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1A_SIGNUP_SIGNIN_INAIL&response_type=code&response_mode=fragment&scope=openid%20profile%20email%20offline_access%20https%3A%2F%2Fjwt.ms%2F&client_id=cc8d158c-57dd-4d2e-97d4-7958xxxxxxxx&redirect_uri=https%3A%2F%2Fjwt.ms%2F&nonce=ZQnkwBaGC/X1YlcxGfjvuA==
Next we invoke the GC API:
https://api.mypurecloud.de/api/v2/webdeployments/token/oauthcodegrantjwtexchange
Below you can find the Request we make and the corresponding Response we get:
Request
{
"deploymentId": "d25b8c3d-3ad0-4981-932d-0706cedecbb7",
"oauth": {
"code": "eyJraWQiOiIyUjFhQkY1S1pITGpNTGRha0U3Q0lYVVRiYk9KbDNyQzc4dlRoTjUyWlJFIiwidmVyIjoiMS4w***********",
"redirectUri": "https://jwt.ms/"
}
}
Response
{
"message": "Failed to identify user for token: 8c2a597b44c07c1a3ba1e205a6065d47 deploymentId: d25b8c3d-3ad0-4981-932d-0706cedecbb7",
"code": "unauthorized",
"status": 401,
"contextId": "7bd3f7cd-07c0-44cf-a714-e4f0523c01a9",
"details": [],
"errors": []
}
We should have followed all the steps, could you please help us understand where we are going wrong?
Thank you in advance.
Marco
vpirat | 2024-04-04 15:59:10 UTC | #4
Hi Marco,
It is likely because you set the nonce in the authorization request, but not in Genesys api call.
nonce=ZQnkwBaGC/X1YlcxGfjvuA==
Add the same nonce parameter in the /oauthcodegrantjwtexchange payload. (see https://developer.genesys.cloud/commdigital/digital/webmessaging/authenticateapi#how-to-get-the-genesys-jwt)
Do not set any other security parameters if they are not set in the authorization request as well.
Hope this helps.
Best regards, V.P.
GROIO | 2024-04-04 16:33:33 UTC | #5
Hi vpirat, thanks for replay, I am a colleague Markuz, we have try to remove "nonce" from authorization api. But we get the same response (401).
We have noticed by trying the token azure api https://inailcloud.b2clogin.com/inailcloud.onmicrosoft.com/oauth2/v2.0/token?p=b2c_1a_signup_signin_inail that it only responds with the IDTOKEN without the ACCESSTOKEN. AD B2C unlike AD to return the accesstoken requires either not passing scopes or passing between scopes the clientid. Could this be the problem? Do we have any way to access genesys logs in the backend?
Thanks, Giuseppe.
vpirat | 2024-04-04 20:26:37 UTC | #6
Hi Giuseppe,
Yes, Azure B2C does not provide the accesstoken by default Only Id token. But that's ok, You can ask indeed for the accesstoken but it is not compulsory on our side to work. Are you able to exchange the code using an http request ?
POST /{tenantId}/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
client_id=<your clientId>
&scope=openid%20profile%20email%20offline_access
&code=<exchange_code>
&redirect_uri=<your_url>
&grant_type=authorization_code
&client_secret=<your-secret> // NOTE: Only required for web apps. This secret needs to be URL-Encoded.
If yes, then it should work also with Genesys api.
No you don't have access to backend but if you give me a contextId of one of the failing request, I can check the logs.
Regards, V.P.
GROIO | 2024-04-05 07:19:32 UTC | #7
Hi vpirat, we have already tried successfully calling the api you suggested /oauth2/v2.0/token and it works correctly while Genesys keeps returning 401. You can check this contextid bd8121f2-9548-4b1d-8072-88da09de9b80 which is related to the last test where we removed the nonce.
Thanks for the support.
Giuseppe.
vpirat | 2024-04-05 07:50:40 UTC | #8
Hi,
I checked the contextId code provided. It fails when trying to retrieve the discovery document provided in the OpenId integration. The service fails with an HTTP 404 status code. Copy/paste the URL you set in a brower to check if it is valid. Likely not. URL should end with /.well-known/openid-configuration
Regards, V.P.
GROIO | 2024-04-05 08:02:44 UTC | #9
Great!!! We tried again by editing the url and it works!!! Thank you so much for the support!
Have a great day!
Giuseppe.
Markuz | 2024-04-05 09:09:57 UTC | #10
Hi vpirat, thank you very much for your precious support!
Best Regards, Marco
system | 2024-05-05 09:09:59 UTC | #11
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.
This post was migrated from the old Developer Forum.
ref: 25455