Solved: Re: Finesse SSO CORS issue

NickLynch35638 · ‎07-06-2020

I would like to make a request to https://finesse-domain/desktop/sso/token from another domain (not the finesse-domain from the request). I am able to do this from Postman but it results in a CORS issue from the browser. I don't get CORS problems when making other Finesse requests from the browser.

Is there a way to configure CORS to work with /desktop/sso/token?

Is there a way to configure a redirect URL for the /desktop/sso/token request to get the token to a page hosted on my domain?

Is there another way to get a bearer token (and later refresh that token) that can be used in REST requests to Finesse?

dekwan · ‎07-08-2020

Hi,

After talking to the Finesse team, they stated that the SSO APIs do not support CORS.

As workaround for now. they suggested to host an html page in 3rdpartygadget location and load them on their webpage which can then make a request to desktop sso apis in same domain.

Thanx,

Denise

View solution in original post

dekwan · ‎07-06-2020

Hi,

What version of Finesse are you using? CORS is supported, but needs to be turned on for 12.5: https://developer.cisco.com/docs/finesse/#!cors-support-for-finesse-rest-apis

As far as I know, this is the only way to get the bearer token.

Thanx,

Denise

NickLynch35638 · ‎07-06-2020

12.0(1)
CORS is working for requests like /finesse/api/User/0002145/ReasonCodes?category=NOT_READY but not for the SSO token request at /desktop/sso/token

Do we need 12.5 for CORS with SSO?

dekwan · ‎07-07-2020

Hi,

Not that I am aware of. I will reach out to the Finesse team to check.

Thanx,

Denise

dekwan · ‎07-08-2020

Hi,

After talking to the Finesse team, they stated that the SSO APIs do not support CORS.

As workaround for now. they suggested to host an html page in 3rdpartygadget location and load them on their webpage which can then make a request to desktop sso apis in same domain.

Thanx,

Denise

NickLynch35638 · ‎07-08-2020

I'm making the request directly to Cisco Identity Service instead. I can't use the SDK because it's Java, but I have been able to make OAuth requests and refresh tokens and so on.

Would there be any problem doing it this way?

dekwan · ‎07-08-2020

Hi,

Unfortunately I am not an expert in SSO, but if you are able to get the token directly from the Cisco Identity Service, I don't see why there would be a problem. From my understanding, the Finesse SSO APIs are just a wrapper around getting it from the Identity service anyways.

Thanx,

Denise

Praveen.Vyapaka · ‎01-13-2022

Hello Nick, I am in same situation where I need to directly communicate to IDS with out using JDK. I was able to reverse engineer and get to a point where I could get the auth code. However , unable to find the next set of URL to do a post to get the token. Can you please let me the Http verb, URL and payload you used for token and refresh token ?

stephan.steiner · ‎01-20-2022

@Praveen.Vyapaka : sorry to interject with a curveball, I find myself in a similar situation (I have l/p of a user I want to login, and my app is C# and headless). You said you got the auth code. How did you do that?

Praveen.Vyapaka · ‎01-20-2022

Hi Stephan - I made progress further and was able to fetch and refresh tokens as well. You could use below end points to achieve the same .
Get Authorization:
Verb :Get
End Point: https:///ids/v1/oauth/authorize
Response_Type: code
client_id:obtained from IDS
redirect_url: URl where IDS needs to post the token to.
state: can be any value to identify the client

Get access Token :
Verb: Post
Headers:
Content-Type : application/x-www-form-urlencoded
Authorization: Basic

End point : https:///ids/v1/oauth/access_token
grant_type: authorization_code
client_id: obtained from IDS
code: Obtain from get authorization code service call

Refresh Token :
Verb: Post
Headers:
Content-Type : application/x-www-form-urlencoded
Authorization: Basic

End point : https:///ids/v1/oauth/access_token
grant_type: refresh_token
access_token: Obtain from get access token call
refresh_token:Obtain from get access token call

stephan.steiner · ‎01-25-2022

Sounds promising.

Not sure I'm missing something for the authorization_code though. So I made the first request:

GET https://srvccx12.nxodev.intra:8553/ids/v1/oauth/authorize?client_id=clientId %myclientid%&redirect_uri=https://localhost:8187&response_type=code&state=myapp

%myclientid% is a client I registered on the Cisco Identity service, along with the redirect_uri.

The response I get seems to be the ADFS page. So how do I get the authorization_code from that in programmatic fashion? If I call the url from the browser, then log into the ADFS server, after login, I see the request being made in my browser to the redirect_uri with state and code in the uri:

https://localhost:8187/?state=pmgr&code=%some code here%

I'm assuming the %some code here% is the authorization_code.. but now I got that using a GUI. my app won't be having a GUI. So how did you manage to get the authorization_code programmatically?

If I take the %some code here% from the browser response, and try the POST to

https://srvccx12.nxodev.intra:8553/ids/v1/oauth/access_token

It asks for a lot more parameters than you gave. It wants grant_type (value: authorization_code), client_id (same as for the GET request), code (code returned from GET request), and redirect_uri.. but once all that has been entered, it bitches about invalid_client.

Praveen.Vyapaka · ‎01-26-2022

To get the auth code , you will need to provide a redirect URl where it posts the auth cod to. You will need to fetch it from there. For the second call to get token, make sure you include a basic auth header and pass the client id as the username, password can be left blank.

stephan.steiner · ‎01-30-2022

>>o get the auth code , you will need to provide a redirect URl where it posts the auth cod to.

I'm doing that, my first request does include a redirect URI

GET https://srvccx12.nxodev.intra:8553/ids/v1/oauth/authorize?client_id=clientId %myclientid%&redirect_uri=https://localhost:8187&response_type=code&state=myapp

But, this is a GET. Why would this trigger a POST (by whom? my ADFS) back to my redirect_uri? redirect_uri in my experience (using Open ID connect authentication on Okta, ADFS and AzureAD) is the URI I'm being redirected back to after successfully authenticating (on Okta, ADFS, AzureAD). Yes, the response will contain a code. But this login that's a manual process. I'm not getting any codes automatically.

Any chance you could record a login session on your end, strip out the sensitive bits (e.g. value of auth header) and share so I can see what I'm really missing? I don't get how this is supposed to work (I'm using OpenID connect in my apps and I know how that works.. but something seems to be very different).

deepaksharmainnovaccer · ‎04-14-2023

Hi @stephan.steiner

I am facing the same issue.

Were you able to find any solution?

ehtasham.malik · ‎06-20-2022

Hi Praveen,

We are kind of stuck with the same problem, We have Web Client and we can't use IDS SDK. We need to authenticate users on the web application.

We now have the IDS URL for Fetch / Refresh Token. However, IDS and Finesse both have different domains and when we try to call the IDS API (from our web client ) or from Finesse (Hosting a page on 3rdparty ) we received the CORS Issue because IDS is on a different server.

How do you have resolved this problem?

Appreciate your response in this regard