Auth. Use Implicit Grant with Generic SSO Provider

sergej.smoljanov · June 9, 2023, 11:03am

Our company use generic sso provider (keycloak) with saml protocol.
Under the hood keycloak use ldap.

I want use implicit grant

because OAuth2 SAML2 Bearer
require provide <client_id>:<client_secret> as i understand our private user id is Ldap and password.
That is bad option because security restriction provide organization password to third company (genesys)

additional context information:
user access token is required to make call
to /api/v2/conversations/calls
Create a call conversation

we can`t make manual call from user by
using backend token (auth client credentials)

That`s why i want use implicit grant.
first problem:
there is no option for generic sso
https://developer.genesys.cloud/authorization/platform-auth/additional-parameters>

provider
Authentication provider to log in with. Valid values are "okta", "adfs", "salesforce", "onelogin", "gsuite", or "ping".

code:


import platformClient from 'purecloud-platform-client-v2/dist/web-cjs/bundle';
const clientId = "{genesis user id}";
let client = platformClient.ApiClient.instance;
client.setEnvironment(platformClient.PureCloudRegionHosts.eu_central_1);
client.setPersistSettings(true, 'optional_prefix');

client.loginImplicitGrant(clientId, "https://{domain}/genesys-front-desks-factory-widet/stage.html?conversationId=f1acd67a-a455-4f8a-881d-901f673e0459", {"org":"{companyId}","provider":"okta", "target":"{companyId}" })
    .then((data) => {
      console.log(data);
    })
    .then(() => {
      // Make request to GET /api/v2/users/me?expand=presence
      return usersApi.getUsersMe({ 'expand': ["presence"] });
    })
    .then((userMe) => {
      // Handle successful result
      console.log(Hello, ${userMe.name}!);
    })
    .catch((err) => {
      // Handle failure response
      console.log(err);
});

main problem:
after widget loaded client.loginImplicitGrant
redirected to
https://login.mypurecloud.de/oauth/authorize?client_id=433d7c75-fce0-43e5-a0e8-3cf0e398c179&response_type=token&provider=okta&org={companyId}&redirect_uri=https://{domain}/genesys-front-desks-factory-widet/stage.html?conversationId=f1acd67a-a455-4f8a-881d-901f673e0459

after that i have message that Genesys Cloud don`t know user or user is expired.
(and i see option for login)
second time i select region, company and redirected (in frame) to sso privider - keycloak
i provide ldap and password and keycloak redirect me back to genesis (in frame)
but genesys not redirected me to redirect_uri
that part is broken.

system · July 10, 2023, 11:04am

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.