Authenticated web messaging redirect scheme for mobile

Web Messaging
1

I have this post API failure:
https://api.mypurecloud.de/api/v2/webdeployments/token/oauthcodegrantjwtexchange

Request body:

{
  "deploymentId": "afead3f5-70e7-4730-ae2e-1b70a9e46f0a",
  "oauth": {
    "code": "ae8af152-e16a-4490-b97d-4ead258a0a28",
    "redirectUri": "spotnana://"
  },
  "journeyContext": {
    "customer": {
      "id": "356a50e2-1101-42e8-b930-a92b148e830b",
      "idType": "cookie"
    },
    "customerSession": {
      "id": "4974cea0-58ed-11ef-bcf3-9d3f659a741d",
      "type": "web"
    }
  }
}

Here is the response:

{
  "message": "Failed to identify user for token: 2133064859c8b07be8e5e6395381f7f0 deploymentId: afead3f5-70e7-4730-ae2e-1b70a9e46f0a",
  "code": "unauthorized",
  "status": 401,
  "contextId": "0b288ade-454f-46b6-8581-35ecef3876fb",
  "details": [],
  "errors": []
}

So this API is used to exchange authCode for token for authenticated messaging. I use this request in mobile WebView component with redirect url scheme "spotnana://". This redirect URL is accepted by my IDP, since the redirect URL successfully return the auth code. Can genesys take this redirectUri without issue? I couldn't find out what is wrong with my request.

2

Hi,

Thanks for reaching out.

Regarding the redirect uri, I would say it's not an issue for the authentication phase.
The process "just" checks that what you provided is what is configured.
There is no "usage" of the redirect uri itself as such.

Based on the contextId you provided, I could see in logs a response from the authentication server with an "invalid_grant" error.
I don't have more details. But this means that the exchange request reached your server that rejected it.

  • Can you check authentication server logs to find out why the request was rejected ?
  • I would suggest to test manually the exchange request itself from a browser.
    To do so, open the discovery document you set up in the integration.
    Find the token endpoint and invoke it using the parameters you set up.
POST /token
Content-Type: application/x-www-form-urlencoded
authorization: Basic base64(<clientId>:<secret>)

grant_type=authorization_code&redirect_uri=<redirect_uri>&code=<exchange_code>

See OpenID doc

This said, I could see 2 successful logins:
One on August 12th, one on August 09th.

Hope this helps,

Regards,
V.P.

3

Thanks a lot V.P.!
Right now I don't have access to IDP log. Can you help me get successful log and the failure log at Genesys side? I'd like to compare them to find some clue.

4

Here are the AWS log of the Genesys cloud request to IDP. The working one is from web. The not working one is from WebView component in React Native. Do you see anything wrong?

working.json (1.4 KB)

not-working.json (1.4 KB)

5

Hi,

The only difference I see is the redirect_uri content.
When it fails, it is set to spotnana://

Make sure that this uri is registered in the authentication server. If not, code exchange will fail.

Regards,
V.P.

6

The spotnana:// is guaranteed to registered to IDP. I saw the config myself and I use spotnana:// as redirect_url to successfully received authCode.

Any suggestion?

7

That's interesting.

We are properly sending back the redirect_uri as reported in the not-working.json file.
The log file does not really give a reason for the rejection.
We are receiving on our side an 'invalid_grant' error code.

I think that you should open a case with AWS by providing the requestId of the failed test and ask why Cognito is rejecting the token exchange when setting an app uri.

I do not see any issue on our side.

Keep us posted.

Regards,
V.P.

8

\o_

Wondering if you were able to sort this out ?

Let us know.

Regards,
VP.

9

Hi,

Any update ?
I'd love to read the issue is fixed :slight_smile:

Regards,
V.P.

10

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.