We have a web-based front end that users interact with, including an option for them to perform updates against Genesys Cloud. When they select this, we connect to the the API and follow the Code Authorization Grant flow to obtrain an access token. This is subsequently passed to a stateless daemon process along with a specific update to perform against Genesys Cloud. A single interaction of a user may include many of these updates, all reusing the same authentication code.
We have multiple users that do this simultaneously, and all use the same OAuth client set up for this purpose - each user obviously authenticates individually and is granted their own authorization code.
We are seeing issues when updates using multiple authorization codes are interleaved. For example, if user 1 makes an update using authentication code 1, then user 2 makes one using authentication code 2, a subsequent call by user 1 using the (unexpired) authorization code 1 fails with a 401 and error message "Invalid login credentials".
Is this approach supposed to work? Or are we supposed to have a separate OAuth client per user, or some other model? The documentation gives no hint that this approach is invalid, as each granted code is unique, and requiring a separate OAuth account per user will make much additional admin work going forward.
I suspect something else is going on with your application and it may be mishandling the auth tokens in some way; there is no limit to how many users can simultaneously authorize using a given OAuth client. For example, literally every single user on the entire Genesys Cloud platform uses the same OAuth client when authorizing the Genesys Cloud UI. That's more than a million concurrent active sessions.
This seems suspect. The auth code given to your app to exchange for an auth token can be used exactly once. If a user needs a new auth token, they must complete the auth flow again to send your backend a new auth code.
Hi Tim, thanks for the swift reply and the confirmation that this is supposed to work of a single OAuth client. I will investigate further and see if we can spot a difference betweeh the processing when we are getting the invalid login credentials.
When I referred to reusing the same code, I meant the same token - the whole authentication process takes place in the UI.
If you're making the API requests in the frontend, you should use the implicit grant. Using the auth code grant to authorize the frontend is insecure because you will expose your client secret to all website visitors. JavaScript isn't capable of handling secrets without exposing them. This is less of an issue if you're building a native desktop application, but the implicit grant is still the most appropriate grant type when authorizing the frontend.