Hi I have a quick question on Auth Code authorization.
I am implementing Auth Code authentication method for our React single page application.
I found this thread in the Genesys dev Forum that mentioned that PKCE should be supported in Q3,
Just wondering if it is ready now ?
Also from this link, I think a browser app is suggested to use Implicit Grant instead ?
as I am facing CORS issue while trying to send POST request on the second step of Code Grant to exchange Access Code with Access Token from '/token' endpoint, something like below:
Will Genesys Cloud support authorization with PKCE? I talked with our product manager and it was released in August. Take a look at the authorization API.
On the browser issue, it looks like your screenshot did not show up properly. I am going to phone a friend (@tim.smith) and see if he can jump in on the CORS issue. Tim is a better front-end developer then I am and can probably answer your question better than I can.
Thanks,
John Carnell
Manager, Developer Engagement
This is intentional. The Auth Code grant requires a backend service to exchange the code for an access token. Because this is only suitable for a backend service and not a frontend web app, there are no CORS headers on the /token endpoint. The reason this cannot be done from a browser is because a browser is incapable of handling a client secret securely. If you're authorizing a front-end web app, use the implicit grant.
I think with PKCE the client_secret is not required for exchanging the access code with access token.
The runtime generated code_challenge/code_verifier is in place to replace it.
I currently is able to use my NodeJS server as a proxy server to hit the /token endpoint for my React app(POST to Node which then makes the POST to /token).
I hope this is a valid solution to the CORS issue if we still want to use Auth Code grant.
Please let me know if you see any concerns going in this implementation.