Hello
I'm trying to make a desktop app and I want it to have user context, so I suppose that I should use Implicit Grant or Authorization Code Grant.
However, my app is running locally, without using any web browser nor server, so I do not know how to handle the redirects part...
My idea was to ask the user its PureCloud user and password, and with them the app would obtain the token to make the requests. Would it be possible?
That constitutes mishandling of a user's credentials and is a good way to get your account suspended. I strongly recommend against it.
OAuth requires that users authorize using the PureCloud authorization UI. The only alternative to that is to implement the SAML2 Bearer flow where a 3rd party SSO provider can provide a SAML assertion to authenticate the user.
In what language is your desktop app written?
Hello Tim
Thank you, I didn't know it. I just wanted to avoid client credentials, because it would give the same access level to all users regardless who they are.
About SAML2, I am not very sure how it is implemented. In the Developer Center I've seen tutorials of the other grant types, but I haven't found the SAML2 one.
The app is being written using Python.
I've never personally done this in Python before, but you'll want to use something like the Python webbrowser controller to embed a browser in your app to allow the user to authenticate. You'll want to use the Auth Code Grant for this scenario. There's an open source project that does this in .NET. You can use it as a guide since you'll need to implement more or less the same thing in Python.
Correct, you definitely do not want to deploy client credentials in an end-user app for several reasons. One primary reason is that client credentials lack a user context, so you cannot use APIs that require a user context, such as answering a call. You'll also run into concurrent token limits as client credentials aren't meant to be used that way.
There's not a tutorial for SAML2 Bearer, but there is an open source project demonstrating implementing that auth flow using Okta.
Thank you for your answers, Tim. I'll take a look at those projects.
About the SAML2 option, I see that in PureCloud only one of each kind of SSO can be configured, and the URIs are different depending on if it is for logging in or for the app oauth. Because of this we could not use only one SSO provider for both purposes, right?
You can use the same SSO config for logging in using the official PureCloud web app and your custom app. There's nothing in the SSO configuration that is specific to the app that's attempting to be authorized. The app-specific configuration is part of the OAuth client, which you must create for your app regardless of which grant type you are using.
Oh, I though that it was not possible because of this line of the README:
" Single sign on URL and Audience URI should be the URL to your app where the SAML assertion POST will be received. In the case of this example application, https://localhost:8443/saml may be a good value."
As in the resource center it says the Audience URI must be "https://login.mypurecloud.ie/saml".
I'll add a little nuance to my answer. The SSO config on the PureCloud side doesn't require configuration for the app that's doing the authenticating. So PureCloud isn't going to block a SSO provider from working with multiple apps. However, each SSO provider is different and may or may not allow multiple apps/assertion URIs to be configured. I'm not familiar with configuring each SSO provider, so I can't say if that's going to be an issue when you configure your SSO provider.
Oh, ok. Thank you for your help, Tim 
This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.