Getting an error while authenticating user with help of OpenID Connect Messenger configuration

Web Messaging
1

Hi Team,
Getting below while authenticating user with help of OpenID Connect Messenger configuration.

image
image1391×209 13.8 KB

genesys.min.js:10

  **Post https://api.usw2.pure.cloud/api/v2/webdeployments/token/oauthcodegrantjwtexchange

401 (Unauthorized)**

can you please help me out in resolving this error.

Also please validate my OpenID Connect Messenger Configuration, in this integration used Azure AD as AUTH Provider:

  1. Created this integration by taking below link as reference
    Integrate Messenger with Okta for identity management (SSO) (genesys.cloud)
  2. Configured Azure App registration credentials within Credentials section of OpenId Messenger of Genesys cloud.

In the code, passing Azure AD ID token as shown below:

image
image1312×333 76.4 KB

sessionStorage.getItem("msal.idtoken") : Generating this Azure ID token using Microsoft https://alcdn.msftauth.net/lib/1.2.0/js/msal.js library.

Please validate above configuration and help me out with the error.

2

Hi,

Based on the contextId provided, I could see the following error:

invalid_grant (AADSTS9002313: Invalid request. Request is malformed or invalid. Trace ID: eec9e6e2-60ac-4287-a6d7-347bff0be504 Correlation ID: 6f702bd4-4154-4eba-abd7-c3bf454f7de0 Timestamp: 2024-01-11 17:50:35Z)

Unfortunately, I do not have access to your configuration but I would advise the followings:

  • Start with a simple config. Do not fill up extra security parameters like maxAge, nonce, codeVerifier and iss.
    codeVerifier is a PKCE code, so a string, not a boolean value.
  • You are setting the idToken as the authCode. It should be an exchange code, not accessToken or idToken.
    The exchange code set will be used to retrieve tokens (access token and idToken).
    This is what the Genesys Api does for you.
    This can be done only once for a given exchange token.
    Remember that the flow used is not the implicit grant flow but the authorization code flow.
    Refer to this Microsoft doc:
  • Make sure that the Azure App is of type Web. It won't work with SPA type for example.
  • Before calling our Api, test your Azure config manually using standard Http requests:
    Send first a request to retrieve a code (this will be done by Messenger for you).
    Example:

GET /{tenantId}/oauth2/v2.0/authorize?
client_id=<your_client_id>
&response_type=code
&redirect_uri=<your_call_back_url>
&response_mode=fragment
&scope=openid%20profile%20email%20offline_access
&state=12345 (this can be any string that you want)

Upon successful authentication, the authorization server will redirect to the call back url specified with the code to exchange in the url parameters.

  • Then exchange the code with another Http request.
    Beware that this operation is usually time constrained. The exchange code has a time to live of one minute usually (depends on the authorization server).
    See exchange code doc
    Example:

POST /{tenantId}/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded

client_id=<your clientId>
&scope=openid%20profile%20email%20offline_access
&code=<exchange_code>
&redirect_uri=<your_url>
&grant_type=authorization_code
&client_secret=<your-secret> // NOTE: Only required for web apps. This secret needs to be URL-Encoded.

  • If it fails, then fix your Azure configuration. It will not work either with Genesys.
  • If this works, then your Azure config is OK, and you can start playing with the Genesys Api.
    Repeat step 1:
    Get manually a code to exchange with a GET HTTP request
    Upon success, now call the Genesys Api with the exchange code retrieved.

POST /api/v2/webdeployments/token/oauthcodegrantjwtexchange
{
"deploymentId": "<id>",
"oauth": {"code": "<your code>", "redirectUri": "<your callback url>"}
}

It should work and you'll get a 200 with a JWT in return.

  • From there, you can start to add extra security parameters, like PKCE, nonce, etc.
    Proceed step by step.

  • Once you get your config working, move to Messenger app for testing with all those parameters.

Hope this helps.

Regards,
V.P.

1 Like
3

Hi VPirat,

Thank you so much for providing detailed guideline for OpenID integration.
Based on the link provided by you, in order to get Auth Code using Authorization Code Flow, need to add a few missing permissions within Azure App registration instance.

Also , can you please guide us with Discovery URI field value of OpenID Connect Messenger Configuration?

image
image1129×619 28.3 KB

Can we use below URI for Discovery URI field:

**
Sign in to your account&response_type=code&redirect_uri=http://localhost:10360/Home/Index&response_mode=query&scope=openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2Fmail.read&state=12345
**

Also please confirm about Client Credentials:

image
image1496×738 26.6 KB

Hope we should use app registration client id and secret key in the credentials section of OpenId Connect Messenger. Please confirm on this.

4

Hi,

Nice to see you made progress.

Regarding the discovery URL, the URL should always end up with "/.well-known/openid-configuration".
To get your own, go to Azure App registration and select endpoints menu.
Copy/paste the metadata url. See picture below.

image
image2268×882 108 KB

For the credentials, yes, this has to be the clientId and secretId that you assigned to you azure app.
secretId should never be disclosed.

Best regards,
V.P.

1 Like
5

Hi VPirat,

After making necessary changes on Azure side, able to generate Auth Code.
Also able to generate Id Token with Genesys with help of Auth Code.
Thank you so much for all help. Appreciated.

6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.