Authenticate webmessaging with OKTA - fetch authentication token

fransiska.hendra · August 23, 2022, 11:48am

hi All,

Just wondering if anyone can help. I am following steps from https://developer.genesys.cloud/blueprints/messenger-authentication-okta-integration-blueprint/ to authenticate webmessaging and I am using example code from here https://github.com/GenesysCloudBlueprints/messenger-authentication-okta-integration-blueprint/blob/main/docs/oauth.html

But I got stuck with this error...

If anyone can help ?

Thanks
Fransiska

vpirat · August 23, 2022, 1:52pm

Hi,

Sorry to hear to that you're running into issues with authentication.
Configuration can be tricky sometimes, as it has to be done on server side and client side.

First of all, the reason for failure in the particular example you show in the snapshot is a 401 error from the authorization server.
You might want to check your server's log.

Secondly, if authentication is rejected, it is likely a configuration issue.

I've seen also that you've tried different configurations (with and without PKCE).

I could see also some errors like "The grant was issued to another client. Please make sure the 'client_id' matches the one used at the authorize request." without PKCE.
This could happen if you request the code on one server instance and use another url to exchange the code.

I would advise to :

Check the content of the discovery document:
https://dev-495736-admin.oktapreview.com/.well-known/openid-configuration
Pay attention to the Urls listed.
Check the authorization_endpoint url and use https://dev-495736.oktapreview.com/oauth2/v1/authorize to request the code.
Check your PureCloud integration settings (clientId / client secret). Are they matching Okta app config ?
Don't use PKCE in first place but authorization code flow only.
Check logs on server side. You should be able to see error messages.
How have you configured you Okta app (which template) ?

Let me know if this helps.

Regards,
V.P.

fransiska.hendra · August 24, 2022, 6:42am

hi V.P,

thanks for advise.

I checked doco https://developer.genesys.cloud/blueprints/messenger-authentication-okta-integration-blueprint/, we need to create Okta app as "web"

is it means token should come from Server authentication ? and we can not create as a SPA application (javascript) ?

But the example provided is javascript https://github.com/GenesysCloudBlueprints/messenger-authentication-okta-integration-blueprint/blob/main/docs/oauth.html

Second question is : if we want to use “Enable authenticated sign-in with the OAuth endpoint” solution, how can we get "state" value which is part of the authURL (see below screenshot)

Thanks
Fran siska

vpirat · August 29, 2022, 8:19am

Hi,

Yes, this is correct for the Okta template.
Choose OIDC / OpenId Connect and Web application as shown below.

Regarding the state parameter, it's is a user defined value. You can set whatever content within. The purpose is to provide a value that the server will send back as a "proof of origin".
Client should check that the state parameter in the response matches the one in the request.
Random values as UUID are good candidates but you can set whatever string there.
Note that this is an optional parameter.
You might want to check Final: OpenID Connect Core 1.0 incorporating errata set 1

Hope this helps,

Regards,
V.P.

system · September 28, 2022, 8:20am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.