Integrate Messenger with Okta for identity management

brad · March 14, 2023, 7:59am

Hi, I'm currently trying to get my head around Authenticated Messaging. I have followed the sample code provided by @tim.smith from here but I keep looping back to the Okta Login screen with the following error:

Auth Error Failed to identify user for token: f3cxxxxxxxxxxxcdc0 deploymentId: 311xxxxxx-xxxxx-xxxxx-xxf2 localhost:8080:555:14

From the sample code (as indicated by the error - line 555) I can see this appears to be an error coming from GC. My Okta logs show no errors and the user is authenticated successfully. Does anyone know what might be going on? Have I configured something incorrectly in GC? I can't even get the sample Buleprint code to run from the sample Blueprint Repo - it fails too.

Any help appreciated.

vpirat · March 14, 2023, 10:25pm

Hi Brad,

Could you please tell us in which region you are testing and share any contextId so that we can investigate logs ?

Regards,
V.P.

brad · March 14, 2023, 11:19pm

Hi @vpirat , I'm using the following Org and region.

OrgId: e9b6fdaa-2b8a-40c0-bc59-544e21460b84
Region: APSE2 (mypurecloud.com.au)

Digging into it a bit more I've tried running the sample code locally with breaks so I can see more. It appears the error message I am seeing is due to a 401 error calling this URL on GC....

https://api.mypurecloud.com.au/api/v2/webdeployments/token/oauthcodegrantjwtexchange 401 (Unauthorized)

Here is the JSON returned along with a timestamp to hopefully make searching easier

index.html?code=D7SixxxxxxxxxxxxxxxxxxxxxxxxxxxxxE&state=1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxo:546 {
"time": 1678839762597,
"publisher": "Auth",
"event": "auth.error",
"data": {
"message": "Failed to identify user for token: 386591a2734523e2cbd7e501b26f66da deploymentId: 31158db8-c587-4298-a1bf-f1ac95be16f2",
"code": "unauthorized",
"status": 401,
"contextId": "13e6b89b-4f37-409f-ba95-7f398c6d5f84",
"details": [],
"errors": []
}
}

Much appreciated. Can you also maybe check my GC configuration on the Deployment and Configuration.

Cheers
Brad

vpirat · March 15, 2023, 9:28pm

Thanks a lot.

That's very valuable.
Unfortunatley I cannot access your config data but it should not be required.
Investigating.

Regards,
V.P.

brad · March 15, 2023, 9:59pm

Cheers. FYI - done a lot more investigation and found the following...

Call to login to Okta works fine. 'code' is returned and I can use the returned code to manually call https://dev-56993126.okta.com/oauth2/default/v1/token and receive back id tokens. So no issue with Okta setup.
AuthProvider plugin (my code) is successfully registered with the messenger plugin along with the 'getAuthCode' function.
When I tell messenger that the 'AuthProvider' is setup and ready to use ('AuthProvider.ready();') this then triggers the call to the https://api.mypurecloud.com.au/api/v2/webdeployments/token/oauthcodegrantjwtexchange API. I understand this should then request the tokens using the code/nonce/returnURL suppplied by the AuthProvider.getAuthCode call executed by Genesys' 'Auth' plugin.
The 'Auth' plugin seems to sucessfully call the https://api.mypurecloud.com.au/api/v2/webdeployments/token/oauthcodegrantjwtexchange API - BUT, somewhere in the flow for this API things fail. I can see that the call to this API partially works as my Okta logs show that a token request was made using the code provided and that 3 tokens were successfully issued - id_token, access_token and refresh_token. These are returned to GC but after that is where the rest of the flow fails and the API spits out the 401 error.

Latest test details:

index.html?code=oWDmw_CK7jODuyFrIJldIWnrFFsbYye6ug08zm0JpCY&state=7cbacxPZ8kyAhx7Lkddt9jkMiKqXeX8YWJhGDHl4dUu9pZYS1rjFAGb0oeWiR3LU:78 {
"time": 1678917650016,
"publisher": "Auth",
"event": "auth.error",
"data": {
"message": "Failed to identify user for token: ec6ba7f39a0882a898cbf2e5db0db631 deploymentId: 31158db8-c587-4298-a1bf-f1ac95be16f2",
"code": "unauthorized",
"status": 401,
"contextId": "86d5272f-a1f1-4bf2-8788-d826e5670ca5",
"details": [],
"errors": []
}
}

Hope this all helps - shall I raise a Case via normal channels too?
Cheers
Brad

vpirat · March 15, 2023, 10:53pm

Hi Brad,

yes, you can raise a case.
Looks like there is a failing check in our service.

Regards,

vpirat · March 16, 2023, 1:43pm

Hi Brad,

Could you try again ?
New version was deployed today and should fix your issue.
Let me know if you still experience errors.

Regards,
V.P.

brad · March 19, 2023, 7:18pm

Yay!!!!
Works as advertised I can now authenticate properly.
Thanks for your help!

system · April 18, 2023, 7:19pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.