StueyMcT | 2018-04-04 17:26:07 UTC | #1
I have a Custom Client Application URL which uses a client id and secret to get the purecloud users details. How do I allow multiple orgs in my URL applications (i.e. different id/secret in the oauth setup).
tim.smith | 2018-04-05 14:51:02 UTC | #2
Do you mean you're using client credentials in a web app? If so, please take it down immediately. Client credentials are like a username and password. Putting them in a web page is completely insecure.
Please use the Implicit or Auth Code authorization grants to authorize a web application.
StueyMcT | 2018-04-09 08:25:27 UTC | #3
Hi Tim, no we are using the auth code method. So on our side, we already have the client id and secret. My question is related to how we handle multiple orgs from our side when they hit the same url?
Jason_Mathison | 2018-04-09 12:58:54 UTC | #4
So you have multiple customers using the same URL to access your application?
Does your application have any authentication you could use to determine which org they are part of?
tim.smith | 2018-04-09 13:16:31 UTC | #5
StueyMcT, post:3, topic:2698
My question is related to how we handle multiple orgs from our side when they hit the same url?
I'm not sure what you mean by "handle" them. Can you be more specific about what you're trying to accomplish? Users from any org in the region can log in to your app.
StueyMcT | 2018-04-09 14:01:55 UTC | #6
No, because to call the API /me function we need to authenticate and to authenticate we have the client id and secret configured on our side. Currently we are using Custom Client Application, so we could pass a reference to the org in the url (we call them companys on our side). So I guess the question really should be whether when we are selectable as an app in purecloud, whether our installation script will be able to customer the usl used to have this reference in it?
tim.smith | 2018-04-09 14:22:57 UTC | #7
so we could pass a reference to the org in the url
I still don't understand what you're trying to do. What do you need the org id for?
StueyMcT | 2018-04-09 14:31:05 UTC | #8
On your side there will be multiple people from multiple orgs. When each of them clicks on our URL we will need to authenticate them using granttype=authorizationcode. So in order to do that we need to have a client id and secret set up in their org in the purecloud admin oauth section (which we use from our app to authenticate with). But this secret is specific to each org. So when they click on our URL, how do we know on our side which client id and secret to use. In my reply to Jason, I mentioned that I could put a parameter in the URL which distinguished their "company" on our side. However I need to know if that can be done when a new org on purecloud does a self service install (when we are available as an app in purecloud and not just a Custom Client Application)
tim.smith | 2018-04-09 14:34:38 UTC | #9
StueyMcT, post:8, topic:2698
we need to have a client id and secret set up in their org in the purecloud admin oauth section
No you don't. Implicit and auth code OAuth clients are valid for all users within a region, regardless of org.
StueyMcT | 2018-04-09 15:09:20 UTC | #10
ok thanks, so if I set up an oauth client id and secret in our org within the region, I will be able to use that to call the API /me function for any user from another org within the same region?
StueyMcT | 2018-04-09 15:13:51 UTC | #11
Great so I have tested that with our 2 orgs. So how do we handle it when orgs are in different regions?
tim.smith | 2018-04-09 16:06:56 UTC | #12
Your app will need to know which region the user wishes to authorize in, and must have an OAuth client configured in each region; OAuth clients span all orgs in a region, but do not span regions. For the sake of anyone else reading this, this does not apply to client credentials; they are tied to a single org because the client credentials configuration requires you to grant it a role for permissions in the org where it was created, whereas implicit, auth code, and SAML2 bearer grants get permissions and org access based on the user that authenticated.
Determining the correct region boils down to a design decision for your app. I would suggest either having different URLs for your app for each region (like we do with mypurecloud.ie, etc.) or have the user choose which region they want prior to redirecting them for authentication (like we do for the forum logins). Though you can implement any method that allows your app to know the region config it should use. Once your app knows which region the user would like to use for authentication, your app will initiate the OAuth flow using the OAuth client and auth URLs for the desired region.
system | 2018-05-10 16:11:57 UTC | #13
This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.
This post was migrated from the old Developer Forum.
ref: 2698