Authenticated Web Messaging Guest API

Markuz · March 28, 2024, 9:48am

Hi community,
through the use of the Web Messaging Guest API, we have developed an application that interfaces with a Messenger Deployment configured in GC, with success.
Our customer also asked us to implement an authenticated session, but we have problems getting the OpenID Connect protocol to work, as requested in the documentation (https://developer.genesys.cloud/commdigital/digital/webmessaging/websocketapi#configure-an-authenticated-session).We would like to implement OIDC on the Azure environment with the Azure B2C AD component, can anyone confirms that this is a useful component for this purpose?
Thank you in advance.

vpirat · March 28, 2024, 11:19am

Hi,

Yes, this is the way to go.

Integration with Azure has already been done in the past.
You may want to check this post for general guidelines.

Hope this helps,

Best regards,
V.P.

Markuz · April 4, 2024, 1:28pm

Hi vpirat,

thank you for the valuable information! We followed the directions in the post you linked, but we get an error in the final step of the Authorization process, when we try to get the JWT from the Genesys Cloud API.

We initially called the following URL from which we get the code:

https://inailcloud.b2clogin.com/inailcloud.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1A_SIGNUP_SIGNIN_INAIL&response_type=code&response_mode=fragment&scope=openid%20profile%20email%20offline_access%20https%3A%2F%2Fjwt.ms%2F&client_id=cc8d158c-57dd-4d2e-97d4-7958xxxxxxxx&redirect_uri=https%3A%2F%2Fjwt.ms%2F&nonce=ZQnkwBaGC/X1YlcxGfjvuA==

Next we invoke the GC API:

https://api.mypurecloud.de/api/v2/webdeployments/token/oauthcodegrantjwtexchange

Below you can find the Request we make and the corresponding Response we get:

Request
{
  "deploymentId": "d25b8c3d-3ad0-4981-932d-0706cedecbb7",
  "oauth": {
    "code": "eyJraWQiOiIyUjFhQkY1S1pITGpNTGRha0U3Q0lYVVRiYk9KbDNyQzc4dlRoTjUyWlJFIiwidmVyIjoiMS4w***********",
    "redirectUri": "https://jwt.ms/"
  }
}

Response
{
    "message": "Failed to identify user for token: 8c2a597b44c07c1a3ba1e205a6065d47 deploymentId: d25b8c3d-3ad0-4981-932d-0706cedecbb7",
    "code": "unauthorized",
    "status": 401,
    "contextId": "7bd3f7cd-07c0-44cf-a714-e4f0523c01a9",
    "details": [],
    "errors": []
}

We should have followed all the steps, could you please help us understand where we are going wrong?

Thank you in advance.

Marco

vpirat · April 4, 2024, 3:58pm

Hi Marco,

It is likely because you set the nonce in the authorization request, but not in Genesys api call.

nonce=ZQnkwBaGC/X1YlcxGfjvuA==

Add the same nonce parameter in the /oauthcodegrantjwtexchange payload.
(see https://developer.genesys.cloud/commdigital/digital/webmessaging/authenticateapi#how-to-get-the-genesys-jwt)

Do not set any other security parameters if they are not set in the authorization request as well.

Hope this helps.

Best regards,
V.P.

GROIO · April 4, 2024, 4:33pm

Hi vpirat,
thanks for replay, I am a colleague Markuz, we have try to remove "nonce" from authorization api.
But we get the same response (401).

We have noticed by trying the token azure api https://inailcloud.b2clogin.com/inailcloud.onmicrosoft.com/oauth2/v2.0/token?p=b2c_1a_signup_signin_inail that it only responds with the ID_TOKEN without the ACCESS_TOKEN.
AD B2C unlike AD to return the access_token requires either not passing scopes or passing between scopes the client_id.
Could this be the problem?
Do we have any way to access genesys logs in the backend?

Thanks,
Giuseppe.

vpirat · April 4, 2024, 8:26pm

Hi Giuseppe,

Yes, Azure B2C does not provide the access_token by default Only Id token. But that's ok,
You can ask indeed for the access_token but it is not compulsory on our side to work.
Are you able to exchange the code using an http request ?

POST /{tenantId}/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded

client_id=<your clientId>
&scope=openid%20profile%20email%20offline_access
&code=<exchange_code>
&redirect_uri=<your_url>
&grant_type=authorization_code
&client_secret=<your-secret> // NOTE: Only required for web apps. This secret needs to be URL-Encoded.

If yes, then it should work also with Genesys api.

No you don't have access to backend but if you give me a contextId of one of the failing request, I can check the logs.

Regards,
V.P.

GROIO · April 5, 2024, 7:19am

Hi vpirat,
we have already tried successfully calling the api you suggested /oauth2/v2.0/token and it works correctly while Genesys keeps returning 401.
You can check this contextid
bd8121f2-9548-4b1d-8072-88da09de9b80
which is related to the last test where we removed the nonce.

Thanks for the support.

Giuseppe.

vpirat · April 5, 2024, 7:50am

Hi,

I checked the contextId code provided.
It fails when trying to retrieve the discovery document provided in the OpenId integration.
The service fails with an HTTP 404 status code.
Copy/paste the URL you set in a brower to check if it is valid. Likely not.
URL should end with /.well-known/openid-configuration

Regards,
V.P.

GROIO · April 5, 2024, 8:02am

Great!!!
We tried again by editing the url and it works!!! Thank you so much for the support!

Have a great day!

Giuseppe.

Markuz · April 5, 2024, 9:09am

Hi vpirat,
thank you very much for your precious support!

Best Regards,
Marco

system · May 5, 2024, 9:09am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.