We are working to come up with a solution for API call between the following:
Genesys Cloud <--> AWS <--> SAP with Okta as OAuth Provider.
Here are the steps for OAuth 2.0 with Grant type Authorization Code:
Genesys request a token by making a post request to Okta(Auth Provider)
Genesys receive Token from Okta
Genesys embed the token in API header and sends token to AWS API Gateway
AWS Lambda Validates token with Okta API Gateway will invoke Lambda Authorizer(token validation)
5.Lambda authorizer will return allow or deny policy based on token validation.
Allowed or Denied here
Oauth token request from HTTP endpoint to SAP (Client Credentials)
SAP returns the Oauth Token to Lambda endpoint
Http endpoint will return response to the API GW
API will take forward this response to the Genesys
Now if you can observe on Genesys side we are using Grant type as Authorization code and SAP side Client credentials and I am wondering if this will work and genesys supports it.
Please let me know as I believe we should use same Grant type in Genesys and SAP.
What about Scopes and token management ? How does genesys manage token expiration/Refresh ?
Hi @AshaIT
It sounds like you are using 2 independent authorization schemes. The authorization code grant for the first leg, Genesys Cloud to AWS, and client credentials for AWS to SAP. Based on that description there is no dependency between the two authorization schemes, so there shouldn't be a problem with using client credentials for AWS -> SAP. That would be a design decision.
The authorization grant features a refresh token to update an expired token without interacting with the user
We are looking at various grant types and one of them is client credentials , Do we need OAuth provider like okta for token service if we use OAuth client credentials ?
Client credentials can be authorized using a POST to https://login.mypurecloud.com/oauth/token, which returns an OAuth token. So it still uses tokens, but you don't have to use Okta. However, keep in mind that client credentials aren't meant for user interfaces or user contexts. They're suited for backend purposes such as automation.
If you're using Genesys client credentials, that is correct. But again client credentials are not suited for use in a browser, UI, or user context, so that is something to consider.
About using client credentials for SAP or salesforce, that depends on the API specs of SAP and salesforce. You will need to consult their documentation to answer that.
Genesys Cx reuests a token to be granted from SAP
SAP acting as Oauth Server Grants token to Genesys CX
Genesys CX then sends that token in API header to SAP
So in this case I will just need to create a Oauth Client in Genesys and assign a role and provide Client ID and Secret to SAP so that they add Genesys API User in SAP with this client ID and Secret.