Auth.authError when connecting via Genesys Integration

Adster · April 8, 2024, 4:23pm

Hello,
I've got an issue when implementing the Genesys Connect Messenger Integration. I did set up my integration with my client credentials and, on the OIDC IDP side, I'm able to login and get my authorization code but whenever I try to send my auth code to the messenger, the messenger is not able to login and an auth.authError event is raised. I verified my redirect_uri and it is the same as in my IDP config
Here is an example of the error message I get:

{
    "time": 1712592917287,
    "publisher": "Auth",
    "event": "auth.autherror",
    "eventName": "authError",
    "data": {
        "authCode": "<<REDACTED>>",
        "redirect_uri": "http://localhost:3000/messenger"
    }
}

In the logs of my IDP, I don't have any logs that tells me that the exchange of the code for the access token failed whereas I have success logs when the token exchange is done outside of the web messenger.

Do you have any ideas on what may cause this issue?
Thanks,

vpirat · April 9, 2024, 8:18am

Hi,

It might be obvious but auth code can be used only once within a given timeframe (usually one minute).

If you meet this requirement, there could be a variety of reasons why it fails.
Usually there's a discrepancy in parameters set.

Are you setting any extra security parameters like nonce, max_age or pkce ?
If yes, this should be reflected in the configuration when calling messenger.
The reverse is true. Don't set a security parameter that is not used when calling /authorization endpoint.

Are you be able to provide a contextId so that I can check for errors on server side ?
(Check in network tab of your browser when URL /api/v2/webdeployments/token/oauthcodegrantjwtexchange is invoked).

Alternatively, you can try to invoke manually this endpoint to test your settings.
There's also a post on general guidelines that you may be interested to read too.

Hope this helps,

Best regards,
V.P.

Adster · April 9, 2024, 11:47am

Hello,

Thanks for your answer. I am able to get my token at the purecloud oauthcodegrantjwtexchange endpoint, however when I run a server with a barebones HTML page with only the Javascript needed to run the Messenger, I still have an Auth.authError event that is raised after I register a getAuthCode command with the Genesys function.

Here is the code that I use to load the messenger and run the auth. The messenger works and I can get messages in my queue if I turn off "Authentication" in the "Messenger configurations" so I don't think there is anything wrong in the config.

<body>
    <script type="text/javascript">
        (function (g, e, n, es, ys) {
          g['_genesysJs'] = e;
          g[e] = g[e] || function () {
            (g[e].q = g[e].q || []).push(arguments)
          };
          g[e].t = 1 * new Date();
          g[e].c = es;
          ys = document.createElement('script'); ys.async = 1; ys.src = n; ys.charset = 'utf-8'; document.head.appendChild(ys);
        })(window, 'Genesys', 'https://apps.mypurecloud.de/genesys-bootstrap/genesys.min.js', {
          environment: 'prod-euc1',
          deploymentId: 'b44<<REDACTED>>',
        });
      </script>
      <script>
        Genesys('registerPlugin', 'AuthProvider', (AuthProvider) => {
          AuthProvider.registerCommand('getAuthCode', (e) => {
            const urlParams = new URLSearchParams(window.location.search);
            const authCode = urlParams.has('code') ? urlParams.get('code') : ""
            const redirectUri = "http://localhost:5000/test.html";
            console.log(`getAuthCode called, code: ${authCode}, redirectUri: ${redirectUri}`);
            e.resolve({
              authCode: authCode,
              redirect_uri: redirectUri
            })
          });
          AuthProvider.subscribe('Auth.ready', () => {
            console.log("Auth plugin ready");
          });
          AuthProvider.subscribe('Auth.authenticated', (jwt,refreshToken) => {
            console.log("Auth.authenticated");
          });
          AuthProvider.subscribe('Auth.authError', (e) => {
            console.log("Auth.authError");
            console.log(JSON.stringify(e, null, 4));
          });
          AuthProvider.ready();
        });
      </script>
</body>

In my Network tab, I have calls to get the "genesys.min.js" script and the "domains.json" and "config.json" file, but there isn't any call to the oauthcodegrantjwtexchange endpoint.
In my console logs, getAuthCode seems to be correctly called but I have the same error message

getAuthCode called, code: jOb<<REDACTED>>, redirectUri: http://localhost:5000/test.html
Auth plugin ready
Auth.authError
{
    "time": 1712660824415,
    "publisher": "Auth",
    "event": "auth.autherror",
    "eventName": "authError",
    "data": {
        "authCode": "jOb<<REDACTED>>",
        "redirect_uri": "http://localhost:5000/test.html"
    }
}

When I use this auth code with the same redirect_uri and deploymentId, I'm able to successfully get my tokens.

Thanks,

vpirat · April 9, 2024, 12:41pm

This is likely the issue. Should it be http://localhost:3000/test.html ?

Regards,
V.P.

Adster · April 9, 2024, 1:12pm

My service was already running on port 3000 so I ran another one on port 5000 to test a simple "test.html" page to isolate the behavior, the "http://localhost:5000/test.html" is what is called when I get my tokens from the oauthcodegrantjwtexchange endpoint.
Sorry for the confusion

vpirat · April 9, 2024, 1:20pm

Ah ok but it looks like your authorization server is still registered with port 3000.
Can you check the callback url on server side ?

Adster · April 10, 2024, 10:25am

I think the issue comes down to the fact that e.resolve() doesn't send any request with the auth code and the redirectUri:

I don't have any calls to oauthcodegrantjwtexchange in my network tab when I call e.resolve()
When I send a HTTP request at the oauthcodegrantjwtexchange endpoint, in my IDP logs, I have token exchange logs whereas I don't have any token exchange logs when I call e.resolve()
There doesn't seem to be a connectivity issue since I'm able to use the JS fetch API to send a request to oauthcodegrantjwtexchange, if I replace the e.resolve() with the fetch request

Allow me to share a screenshot illustating the issue with my console and network tabs, and the token logs from my IDP:

Thanks for your previous answers

Adster · April 10, 2024, 1:12pm

Ok, the mistake is because I typed "redirect_uri" instead of "redirectUri" in my e.resolve()...
The authentification is working well now, thanks for your time