We have a challenge with one of the customer's APIs. For the Authorization, we have to use JWT token, and we asked to provide more details so we can test and see if this can be done via Custom Auth Data Actions.
We got the details today and found out there is audience claim for JWT token.
Our tests:
Postman - add audience claim under Authorization->OAuth 2.0 -> Advanced Tab. All was working fine. We were able to get the response and JWT token back (see the details):
Created Web service Integration with OAuth credentials. Unpublished Custom Auth Data Action and tried to change the Request Body by adding "audience" key in the Request Body. Of course, that didn't work. Got the error the credentials are not supported. Then, added "audience" under Integration->Advanced Configuration for the Custom Auth Data Action. It ran successfully, but the output is redacted (see here):
Need a confirmation from you: is this can be solved only outside of Genesys i.e. using middleware (e.g. AWS Lambda) or I'm missing something? Please advise.
Don't have the endpoints to test other Custom Data Action. The testing sent here is from Custom OAuth Data Action.
I did more testing today, using Postman and removed "audience" claim from the Authorization and it is working fine, was getting the token. Found more readings regarding claim "audience" for JWT token and the use of this claim is optional (see below in italic).
Can you please provide more details about when and how to use Integration->Advanced Configuration
Audience claim:
The "aud" (audience) claim identifies the recipients that the JWT is intended for. Each principal intended to process the JWT MUST identify itself with a value in the audience claim. If the principal processing the claim does not identify itself with a value in the "aud" claim when this claim is present, then the JWT MUST be rejected. In the general case, the "aud" value is an array of case- sensitive strings, each containing a StringOrURI value. In the special case when the JWT has one audience, the "aud" value MAY be a single case-sensitive string containing a StringOrURI value. The interpretation of audience values is generally application specific. Use of this claim is OPTIONAL.
I don't really understand what your issue is right now. Integration->Advanced Configuration isn't used at all by data actions, so any changes you are making there shouldn't be having any impact on how authentication behaves. If you see documentation instructing you to do this, please forward it to me to get it cleaned up.
You should be able to include the audience in your request body, and it is entirely possible that while you can get a token without it, you wouldn't be able to do anything useful with that token without the audience specified. Can you post your request body template and the error that you are getting back when this fails?
Your Request Body Template is not properly set in your Request Configuration.
With Content-Type:application/x-www-form-urlencoded, the params in the body are separated with "&" (and not with a comma). Values should also be escaped.
You can try the following: grant_type=client_credentials&audience=$esc.url('api://coreapi-dev')