Web messaging Authentication Failure : 401

Hi,
We are currently facing an issue, where Genesys oauthcodegrantjwtexchange call "https://api.mypurecloud.de/api/v2/webdeployments/token/oauthcodegrantjwtexchange" is throwing 401

"message": "Failed to identify user for token: bdfa8b008052d3dffae6f71c3cb15843 deploymentId: xxxx",
"code": "unauthorized",
"status": 401,
"contextId": "e8c816fd-93f0-433d-b507-d7ceb8965842",
"details": [],
"errors": []

This is after authentication-server returns 200 , with logs saying
Success Exchange Authorization Code for Access token

Kindly provide some logs so that we can investigate the issue.

Our sample code snippet:

const shouldParseResult = query.includes("code=") && query.includes("state=");

        if (shouldParseResult) {
            console.log("> Parsing redirect");
            const urlParams = new URLSearchParams(query);
            const authCode = urlParams.get('code');
            if (authCode) {
                console.log('Authorization code received:', authCode);
                integrateGenesysAuth(authCode, getStoredCodeVerifier(), getStoredNonce());
            } else {
                console.error('Authorization code not found');
            }
        }
    };

    function integrateGenesysAuth(authCode, codeVerifier, nonce) {
        (function () {
            console.log('Initializing Genesys Plugin');
            Genesys('registerPlugin', 'AuthProvider', (AuthProvider) => {

                AuthProvider.registerCommand('getAuthCode', (e) => {
                    e.resolve({
                        authCode: authCode, // Authorization code obtained after the redirect
                        redirectUri: window.location.origin, // Redirect URI for token exchange
                        codeVerifier: codeVerifier, // Use the original codeVerifier
                        nonce: nonce,
                        maxAge: 36000
                    });
                });

                AuthProvider.registerCommand('signIn', (command) => {
                    console.log('signIn command triggered');
                    const data = {
                        authCode: authCode,
                        redirectUri: window.location.origin,
                        codeVerifier: codeVerifier, // Use the original codeVerifier
                        nonce: nonce,
                        maxAge: 36000
                    };
                    AuthProvider.publish('signedIn', data);
                    command.resolve(data);
                });

                AuthProvider.ready();
            });
        })();

Hi @Potter,

Thank you for asking. To help us better understand the use case, is this Messenger Configuration with Allow end-users to upgrade an anonymous session to authenticated conversation option enabled? Since AuthProvider.signIn command is implemented here, I'm assuming this is enabled, because it is required only when this option is enabled.

The error Failed to identify user for token indicates that the authentication with our system failed due to invalid jwt or expired jwt token. In this case, you must re-login to fetch the new authCode then provide that to the getAuthCode command.

I see 2 corrections here:

  1. When upgrade to authenticated conversation is enabled: Implement the AuthProvider.signIn command to re-login and provide the new data that includes authCode. Please refer to code sample with code comments documented here.

  2. Implement the AuthProvider.reAuthenticate command as documented in the same above link. Also, there is a sample blueprint code for this here with OKTA. This reAuthenticate command is always required to handle these 401 or other authentication errors.

Messenger will call the reAuthenticate command when current token and/or authCode are no more valid. You can add logic here to simply re-login and resolve this command after successful login so that Messenger can get the new authCode. (In case when browser requires page reload for a login, there is no need to resolve this command). Note: After a successful re-login, calling the getAuthCode command is taken care internally and there is no need to call it explicitly again. Let us know if this helps.

Hi,

Tokens are properly exchanged indeed but validation fails.
Checking at the logs, the root cause is the following:

missing required JWT property auth_time

Regards,
V.P.

1 Like

Great, this helps.
I will update back.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.