I have a server that handles both back-end and front-end authentication with Genesys Cloud. The back-end uses the grant type "Client Authorization", and the front-end uses the grant-type "Code Authentication".
What is happening is anyone who successfully logs into the font-end is successfully getting an access token even though they are not in that organization. That seems to be very broken, but it could be my code if I'm misunderstanding something.
I would expect that access to the front-end would only be allowed if the logged in user is in the same org as the "Code Authentication" OAuth client. Am I missing something here? Is it designed that way intentionally? E.g. Do I need to check the OAuth client's org against the user's org who is trying to log in?
With all of that said, I think the documentation and naming conventions for OAuth client grant types is confusing. To me, the grant types seem to have their names flipped.
I would expect the "Code Authorization" grant type would mean backend server code authorization, whereas the "Client Authorization" grant type would mean front-end client authentication through the browser and subsequent redirects. But it looks to be the opposite.
I have seen lots of people post in these forums due to confusion with how the various OAuth types work. Here is a previous response about using "code Authentication" that might help you:
Thank you sir.. Can the names be addressed, whether or not they were created by Genesys? "Code Authorization" should be back-end server applications. "Client Authorization" should be front-end logins as a matter of framework.