Web Messenger Authentication 401 code

Hello, we are working with our engineers to implement web messenger authentication. They are receiving a 401 error response with "Failed to identify user for token:" message.

Can I get someone to assist troubleshooting based on the following context ID? cab64b91-c590-45f9-a9b4-fdedec634d01

Hi,

I could find the following error message from the contextId provided:
invalid_grant (Authorization code is invalid or expired.)

I could see also this error in days before:
invalid_grant (Authorization code is malformed.)

As a general advice, try to start with no extra security parameters and add them one by one.
You may find also some info on the OAuth provider side.

Hope this helps,

Regards,
V.P.

Hello thank you, for the response. We did some additional testing and troubleshooting and are getting the same error. Can you confirm if this contextId is returning the same error message?

ContextId: db47ab62-27ec-4cdd-a1af-65775bb765f3

Hi,

Not the same error:
invalid_client (Invalid client or client credentials.)

Hope this helps,

Regards,
V.P.

Thanks V.P.

An additional few questions:
If an auth code is used for a token exchange to login to our application, does a separate one need to be generated for the Genesys authentication or can we use the same one? If a separate code is required, do you know how most orgs generate and trigger an additional auth code? Our identity provider is PingOne.

Hi,

Yes, you need to use a separate one. Auth code is a one time usage.

You can trigger another auth code by invoking /authorize endpoint from your provider.
Alternatively, there is a feature request to implement implicit flow that would allow to retrieve existing tokens, avoiding extra authentication step.
Feel free to add your feedback to it.

Regards,
V.P.

Thank you vpirat, here is another context ID, could you take a look?

We are trying to get our client settings right, do you have any insight on creating the client in pingone, does OIDC have any specific settings that need to be enabled to work? Is there a way we can get more information from these responses rather than having to reach out each time?

d4fd4380-4b08-42a2-a5ae-69ff31e57db7

I'm seeing this error:
invalid_grant (Authorization code is invalid or expired.)

Regarding debugging, I don't know about PingOne but you can manually test the code exchange by using any Http tool.
1- invoke /authorize manually and retrieve the auth code.
Try to test first without any extra security parameters.
Once the basic request work, add more parameters (like Nonce, pkce, etc).

GET /authorize?
client_id=<your_client_id>
&response_type=code
&redirect_uri=<your_call_back_url>
&response_mode=fragment
&scope=openid%20profile%20email%20offline_access
&state=12345 (this can be any string that you want)

2- invoke manually with a HTTP request to your provider.
POST /token
Content-Type: application/x-www-form-urlencoded

client_id=<your clientId>
&scope=openid%20profile%20email%20offline_access
&code=<exchange_code>
&redirect_uri=<your_url>
&grant_type=authorization_code
&client_secret= // NOTE: Only required for web apps. This secret needs to be URL-Encoded.

3- Once this is working, retry step 2 by calling the code exchange with Genesys Api instead.
It should work as well.

Check also this article.

Hope this helps,

Regards,
V.P.

Thank you V.P. I appreciate the write up, our Dev had some additional questions and made another post with his code in detail, any chance you could take a look?

\o_

Yes, send it to me.

Regards,
V.P.

1 Like

You can find it here