Genesys Cloud - Developer Community!

 View Only

Sign Up

  • 1.  Unable to exchange JWT from Auth Code

    Posted 04-24-2025 05:55

    Our team is implementing authenticated web messaging.

    We have set up the integration and make our web messenger deployment points towards the integration. However, when attempting to obtain JWT from Auth Code through POST /api/v2/webdeployments/token/oauthcodegrantjwtexchange, we got the following error message:

    {
"message": "Failed to identify user for token: 36b85637680daf581200dea6c231aa42 deploymentId: a7f2d608-363b-4331-8704-6e1c09b57e30",
"code": "unauthorized",
"status": 401,
"contextId": "9235c493-b12a-4460-ac06-1e4aa0cbdb8c",
"details": [],
"errors": []
}

    Here is our API request body:

    {
    "deploymentId": "a7f2d608-363b-4331-8704-6e1c09b57e30",
    "oauth": {
        "code": "DRnfDnrtkC256L7H9VAh3Wh7Gmg",
        "redirectUri": "https://jwt.io/signin"
    }
}

    Our discovery uri is https://openiam-d0.ete.cathaypacific.com/am/oauth2/.well-known/openid-configuration

    We have checked that our integration has the client id and secret configured correctly.

    Btw the Auth Code request doesn't support the scope email and offline_access. Still, according to genesys documentation, only openid is actually needed (pls correct me if i am wrong) so we assume it should still be ok.

    Lastly, we tried calling the token endpoint https://openiam-d0.ete.cathaypacific.com:443/am/oauth2/access_token and retrieve the response successfully.
    It implies the token endpoint is returning access token correctly.

    {
"access_token": "eyJ0eXAiOiJKV1QiLCJraWQiOiJTSmFDOTU3SmpaaC9wNjFidHRxRkFHc25rQ0E9IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiIxYWQwODVlYi0yODMzLTRjNTAtYjkxZS1iMDNjZjYzZTRiYmUiLCJjdHMiOiJPQVVUSDJfU1RBVEVMRVNTX0dSQU5UIiwiYXV0aF9sZXZlbCI6MCwiYXVkaXRUcmFja2luZ0lkIjoiZmJlMTI3YmMtNzQ5NS00Y2E4LTliZjktNzllOWZlYTE1MGNmLTE3MTg2MTAiLCJzdWJuYW1lIjoiMWFkMDg1ZWItMjgzMy00YzUwLWI5MWUtYjAzY2Y2M2U0YmJlIiwiaXNzIjoiaHR0cHM6Ly9vcGVuaWFtLWQwLmV0ZS5jYXRoYXlwYWNpZmljLmNvbTo0NDMvYW0vb2F1dGgyIiwidG9rZW5OYW1lIjoiYWNjZXNzX3Rva2VuIiwidG9rZW5fdHlwZSI6IkJlYXJlciIsImF1dGhHcmFudElkIjoiOXlUVmtRRmRRTVZybEVlOVRGNFA1VWwyTFVZIiwiY2xpZW50X2lkIjoiU2FtVGVzdFdlYiIsImF1ZCI6IlNhbVRlc3RXZWIiLCJuYmYiOjE3NDU0NzY5MTMsImdyYW50X3R5cGUiOiJhdXRob3JpemF0aW9uX2NvZGUiLCJzY29wZSI6WyJvcGVuaWQiXSwiYXV0aF90aW1lIjoxNzQ1NDc2ODk2LCJyZWFsbSI6Ii9hbHBoYSIsImV4cCI6MTc0NTQ4MDUxMywiaWF0IjoxNzQ1NDc2OTEzLCJleHBpcmVzX2luIjozNjAwLCJqdGkiOiJrazVTZTNDa3lLeWVNdEtKdWVBSmhMX0NiWHMiLCJtZW1iZXJOdW1iZXIiOiIxOTMwMDEyNjk3Iiwicm9sZXMiOlsiIl19.km5gqtwqUWn33rbNTboqhvoyPrzZiY1vNX6629CU9TatiJOQLfcr_Lelp05cML4HYvN7sRoFfFR8x061BFuk3l73SMymevBIwOFFijD_L8v4MUfQFjmJq7fR-gjMxy2ZYa7rRbeQmnHPBwcGYgb1-pl6MjUvwTE4qvqPTo0hNyLTe6HOOKkBgvKFO_299bhTynI9Qur1Ld_Mrl6jeakjMOF30XVT0_lF0hNfxU_-B6vvfNye7DvInkhutVX-frGARkuNKI8UwpYd8fCkSDeYm_kQl8lk0syKeOvE2UP2kBIGjd1XMx28uQYCab8uTdnrYFbSn-RmYAyuY6efbxLTMQ",
"refresh_token": "eyJ0eXAiOiJKV1QiLCJraWQiOiJTSmFDOTU3SmpaaC9wNjFidHRxRkFHc25rQ0E9IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiIxYWQwODVlYi0yODMzLTRjNTAtYjkxZS1iMDNjZjYzZTRiYmUiLCJjdHMiOiJPQVVUSDJfU1RBVEVMRVNTX0dSQU5UIiwiYXV0aF9sZXZlbCI6MCwiYXVkaXRUcmFja2luZ0lkIjoiZmJlMTI3YmMtNzQ5NS00Y2E4LTliZjktNzllOWZlYTE1MGNmLTE3MTg2MjYiLCJzdWJuYW1lIjoiMWFkMDg1ZWItMjgzMy00YzUwLWI5MWUtYjAzY2Y2M2U0YmJlIiwiaXNzIjoiaHR0cHM6Ly9vcGVuaWFtLWQwLmV0ZS5jYXRoYXlwYWNpZmljLmNvbTo0NDMvYW0vb2F1dGgyIiwidG9rZW5OYW1lIjoicmVmcmVzaF90b2tlbiIsInRva2VuX3R5cGUiOiJCZWFyZXIiLCJhdXRoR3JhbnRJZCI6Ijl5VFZrUUZkUU1WcmxFZTlURjRQNVVsMkxVWSIsImNsaWVudF9pZCI6IlNhbVRlc3RXZWIiLCJzaWQiOiI5cTUxNUUzbFNabFY5WHFwSFU4ZkFKZGc4K0xaeEx1WlZ6Z1NBYzNMZnhnPSIsImF1ZCI6IlNhbVRlc3RXZWIiLCJhY3IiOiIwIiwibmJmIjoxNzQ1NDc2OTE2LCJvcHMiOiJLcVllYlltTnVRb1R0MG5uMGFUU2t0SzFBaDQiLCJncmFudF90eXBlIjoiYXV0aG9yaXphdGlvbl9jb2RlIiwic2NvcGUiOlsib3BlbmlkIl0sImF1dGhfdGltZSI6MTc0NTQ3Njg5NiwicmVhbG0iOiIvYWxwaGEiLCJleHAiOjE3NDYwODE3MTYsImlhdCI6MTc0NTQ3NjkxNiwiZXhwaXJlc19pbiI6NjA0ODAwLCJqdGkiOiJuQldwSC1yS0lWNXR5OXRRRUFBdENlQVBaeGMifQ.U1x5TwR8xWNpBpZAWjUcJ3R5TtViAv9ZPr9DgKSQOt0iSNTiwEp6kHCHd8hVyYjoQa--EulqPjeInI40TSJssP-8ZcEXVSb89F5DeicecpfVsFtL-0RywK4oLOZPXiHnZblA9BN71kQsunw9vcbVo_WZcBze9a0rt1b_GdPvTfKWz9nMAji3FwwYje2n7nQbZr1gN_lyn62xKBXxi_J0I1mdyk7q-SAZ5FfbNXqfD5sDup0qYgso9RbDQ76ThQmjwLARrbTOwGIx_hfvdqAcCfSlednLIztHhcnV6o7V5YNyhZu_qWQfJzCoE2ODWT4jF_kI2GJ5lgzdz8aiaCv1Tg",
"scope": "openid",
"id_token": "eyJ0eXAiOiJKV1QiLCJraWQiOiJTSmFDOTU3SmpaaC9wNjFidHRxRkFHc25rQ0E9IiwiYWxnIjoiUlMyNTYifQ.eyJhdF9oYXNoIjoiRWF2NG5Jd2hoSFM0cGNaZmxMbkRhZyIsInN1YiI6IjFhZDA4NWViLTI4MzMtNGM1MC1iOTFlLWIwM2NmNjNlNGJiZSIsImF1ZGl0VHJhY2tpbmdJZCI6ImZiZTEyN2JjLTc0OTUtNGNhOC05YmY5LTc5ZTlmZWExNTBjZi0xNzE4NjI3Iiwic3VibmFtZSI6IjFhZDA4NWViLTI4MzMtNGM1MC1iOTFlLWIwM2NmNjNlNGJiZSIsImlzcyI6Imh0dHBzOi8vb3BlbmlhbS1kMC5ldGUuY2F0aGF5cGFjaWZpYy5jb206NDQzL2FtL29hdXRoMiIsInRva2VuTmFtZSI6ImlkX3Rva2VuIiwic2lkIjoiOXE1MTVFM2xTWmxWOVhxcEhVOGZBSmRnOCtMWnhMdVpWemdTQWMzTGZ4Zz0iLCJhdWQiOiJTYW1UZXN0V2ViIiwiY19oYXNoIjoidHRNZUxKcGkxeExxVngwZUFjeGF1QSIsImFjciI6IjAiLCJvcmcuZm9yZ2Vyb2NrLm9wZW5pZGNvbm5lY3Qub3BzIjoiS3FZZWJZbU51UW9UdDBubjBhVFNrdEsxQWg0IiwibWVtYmVyTnVtYmVyIjoiMTkzMDAxMjY5NyIsImF6cCI6IlNhbVRlc3RXZWIiLCJhdXRoX3RpbWUiOjE3NDU0NzY4OTYsInJlYWxtIjoiL2FscGhhIiwiZXhwIjoxNzQ1NDgwNTE2LCJ0b2tlblR5cGUiOiJKV1RUb2tlbiIsImlhdCI6MTc0NTQ3NjkxNn0.LbcGvNcDa8XQXBM4AhQx00BmSC4Xw6ONeHWnTegxndJ2EiVDVGzkhqW29k3R-3mDS9VCY1ggspJdSvIvLGQFHq24hihajvIY74YI38qENuXxFXfwgMJiIx-YWRdFpCl0U5G2Y4Oz2ry33D7JemvZigRQ5Pbnnr18-Y1bb1iLhlldXdWhDXMBGcSNVQVgQ3gzCXcEcz1x-uJ-aj7GuGzXW4joe1ykHZNBtF5tqRKJShyztuiZTtuNDiMmgwHAP3GyyYK5_F1lRi_Qyfrts7JygjpL3qLUYb1AgFgW1TVtuAEzcVAtkI2pBhQyYGh1zXKac1htHTkyfgFGF-COr908Gg",
"token_type": "Bearer",
"expires_in": 3596
}

    Appreciate it if anyone could tell what could be missing from our configuration.


    #WebMessaging

    ------------------------------
    Matthew Chan
    Application Development Specialist
    ------------------------------


  • 2.  RE: Unable to exchange JWT from Auth Code

    Posted 04-24-2025 05:56

    Btw we refreshed the client id and secret and it still doesn't work. Here is the context id: 

    0cc1373f-dd2b-4c41-9363-5c414b12fffd


    ------------------------------
    Iris Chan
    Projece Manager
    ------------------------------

    Original Message


  • 3.  RE: Unable to exchange JWT from Auth Code

    Posted 04-25-2025 06:30

    Guys i have figured out the root cause. Turns out it is because our discovery uri expose multiple auth methods for token endpoint.

    Genesys will only pick the last one in the list. In our case, our given client can only be authenticated by client_secret_post, but the last authentication method in the list is client_secret_basic. Genesys therefore pick client_secret_basic and the API call is rejected.

    The issue is resolved after we are provided another pair of client id and secret that can be authenticated by client_secret_basic.



    ------------------------------
    Iris Chan
    Projece Manager
    ------------------------------

    Original Message


Related Content