Step-up Authenticated with SAP CDC Error 401

GROIO · September 23, 2024, 2:16pm

Hi community,
we are trying to implement step-up authentication via the SAP CDC provider that supports OpenID Connect.
https://help.sap.com/docs/SAP_CUSTOMER_DATA_CLOUD/8b8d6fffe113457094a17701f63e3d6a/fb66c55073654c2bb10f67f70b12c88a.html

When the getAuthCode method is called on the request:
https://api.mypurecloud.de/api/v2/webdeployments/token/oauthcodegrantjwtexchange
we get the response:
{
"message": "Failed to identify user for token: c28ce6ef9937ea6b273f2aaa3c3b4729 deploymentId: b962f9da-ea2c-4d04-929c-e341d74f03f5",
"code": "unauthorized",
"status": 401,
"contextId": "989d5e0d-7bcd-4f1e-839d-469871ec81be",
"details": [],
"errors": []
}
The well-know link is:
https://fidm.eu1.gigya.com/oidc/op/v1.0/3_yf7Dwd_HxouE_VcFb2CtR-qxy8Rghf10jk6LQOB1sLi2z73qwgJNmB1aEe1OG1jA/.well-known/openid-configuration

We followed the general guidelines already adopted for other providers:

we removed the nonce parameter
we manually retrieved the url to obtain the token to test the credentials
we checked that the well-known link ended with /.well-known/openid-configuration

Thanks for the support,
Giuseppe.

vpirat · September 25, 2024, 11:26am

Hi,

Thanks for reaching out.

I checked our logs and could see the following error:
invalid_grant (The provided authorization code or refresh token was issued to another client.)

So it looks like that there is a config mismatch somewhere.
Either the auth server used to get the authcode is not the same as the one to do the code exchange.
Either the path references different apps on the server side (hence different instances).
Genesys will use the url referenced in the token_endpoint attribute from the discovery document to carry out the exchange.
Or the clientId in the integration is not the correct one.

Hope this helps,

Regards,
V.P.

GROIO · September 26, 2024, 10:58am

Thank you for sharing the log.
We were able to understand that the problem was in the absence of the nonce that SAP CDC uses to identify the Client.
One question, through authentication only FirstName and LastName claims are exposed to the chat widget but from the authentication provider (SAP CDC) many more are sent that would be useful to retrieve. Is there any way to indicate which claims to return to the authentication response?
Or is there a way to retrieve them?

Regards,
Giuseppe.

vpirat · September 26, 2024, 12:05pm

Hi,

Thanks for the feedback.
Nice that you could make this work.

Regarding claims, only 3 claims are currently managed.

And there's no option to handle more.

There is a feature request opened to support this:
https://genesyscloud.ideas.aha.io/ideas/DXWMM-I-57

Feel free to share your use case in the portal and vote to push the request.

Best regards,
V.P.

system · October 26, 2024, 12:05pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.