O Auth implicty authentication with no browser navigation

Platform API OAuth
1

Hi all

We are using the OAuth implicity authentication to check if the user is logged in or not with .NET platform. The client that we are developing this solution uses an web ERP that will make the “click to call” function.

However, the first solution that is recommended is to use the PureCloudPlatform component – oAuthWebBrowserForm. With this, the webbrowser component will navigate through the OAuth login URL (E.g. https://login.mypurecloud.com/oauth/authorize?client_id=d60f32b8-feaf-4acc-950b-8e3d6b9be31f&response_type=token&redirect_uri=http://localhost:8080) and it will check if the user is already logged in or not.

We found a gap in this solution because the webbrowser does not store the cookie from OAuth and the user can be logged in as user X on Pure cloud Platform and make a call with user Y logged in as user X.

To avoid this gap we are trying to use a Httpclient to make a GET request to redirect us to the Url that contains the access_token parameter. (we are trying to avoid the navigation of a specific browser)

Follow the example below:

var handler = new HttpClientHandler()
{
AllowAutoRedirect = true,
UseCookies = true
};

HttpClient client = new HttpClient(handler)

        var request = new HttpRequestMessage(HttpMethod.Get, new Uri("https://login.mypurecloud.com/?rid=frzVqwsGy-cyY90rbVw9VHbnSIOtvqwG3o909c-A4NI"));
        HttpResponseMessage result = new HttpResponseMessage();

        try
        {
            result = client.SendAsync(request).Result;
        }
        catch (Exception ex)
        {

        }

With this example we are not being redirected to the Url that contains the access_token parameter, the responseUri is always https://login.mypurecloud.com/?rid=frzVqwsGy-cyY90rbVw9VHbnSIOtvqwG3o909c-A4NI

2

Do not circumvent the authorization process. The OAuth flow exists for security purposes to require the user to authorize the applications they use. Bypassing this process constitutes abuse of the platform and can result in suspension of your org.

If you need to manage the browser's cookies between sessions, do so by interfacing with the WebBrowser control you're using and allow the user to complete the authorization flow normally.

If you have a hard requirement that the user must not be prompted to authorize an app, you must implement the SAML2 Bearer authorization grant and integrate with an auth provider that is capable of providing SAML assertions without prompting the user.

3

Tim, good morning.

I tried to call the url through HttpWebRequest:
HttpWebRequest webReq = (HttpWebRequest)WebRequest.Create(string.Format("https://login.mypurecloud.com/oauth/authorize?client_id=c97ea46c-cd5d-4b76-99af-7cerf66a2af&response_type=code&redirect_uri=http://localhost:53736/home/EfetuarChamada"));
webReq.Method = "GET";
HttpWebResponse webResponse = (HttpWebResponse)webReq.GetResponse();
string uri = webResponse.ResponseUri.AbsoluteUri;

However it is returning: https://login.mypurecloud.com/?rid=QgQXDXuOgu95wec4pdYMZde22WL9AGsQ0ZxdII_XgHo#/
Instead of returning: http://localhost:53736/home/EfetuarChamada?code=21P22kV3bdeRiit0TweDFzZdkebk04jLJBkfy4UcJmk

Do I need to pass any session parameters to HttpWebRequest?

Please, how do I do this?

4

Trying to execute an auth flow with a web request to avoid showing the browser to the user constitutes circumventing the auth process. Do not do this or you may lose your org.

5

Good Morning.
Is there a way to log out of the OAuthWebBrowserForm component?
Because when changing User, it remains logged.
Dispose is not doing this.
The Session remains logged in even after Dispose.

6

That's because the browser is remembering the auth cookie that Genesys Cloud sets. You need to clear the cookies in the browser or navigate to https://login.mypurecloud.com/logout (use your regional URL if different) which will remove the auth cookie.

7

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.