Solved: Re: Service App - Retrieve the Access and Refresh the Token Pair

pkrisztian · ‎09-25-2023

Hello everyone,

I'm currently exploring the integration capabilities of Webex for our HR automation platform. Our goal is provide our customer a way to seamlessly integrate with Webex, allowing them to send messages, create spaces and teams, as well as invite and remove users. So far the Service app seems to be the most suitable choice for us.

In the documentation, I found instructions on how to manually obtain customer credentials under the "Org Authorizations" section on the Service Apps details page. While this method works, it might not be the most scalable approach for our needs, as it would require manual support for each installation. Many other third-party services provide the tokens after users have given consent during an OAuth authorization flow, which is much more automated and can be easily integrated.

I'd like to know if there's a more streamlined way to retrieve customer credentials in case of Service Apps, than manually searching and generating them under Service Apps details page. Can I simply use the OAuth flow to request permissions and exchange the code for and access token and refresh token pair?

Thank you!

sandiban · ‎09-26-2023

Hi @pkrisztian,
Thanks for your patience so far!
Yes, in case of Service App - for the first attempt, you need to generate the Access Token & Refresh Token pair from the Service App settings page in Webex Developer Portal only. Because in Service App, you don't have the place to feed redirect URLs or, Code. Even to generate the Code - you need OAuth URL which is not available from the Service App details page.

But straight from the next time, since you already have the Refresh Token available - for generating a new Access Token programmatically using that Refresh Token the logic/flow is the same between an Integration and Service App.
You do a POST to https://webexapis.com/v1/access_token with the parameters of "grant_type":"refresh_token", "client_id": "YOUR_CLIENT_ID", "client_secret": "YOUR_CLIENT_SECRET", and "refresh_token": "YOUR_REFRESH_TOKEN".
If you're trying it from POSTMAN, for a reference I've shared a screen shot here. Hope that helps!

And, once your Refresh Token is also expired, again you've to come back to Service App Settings to generate a fresh pair of Access Token and Refresh Token.
Please let us know for any further assistance.

Regards!
Sandip

Screenshot 2023-09-26 at 1.06.11 PM.png

Please Note: If you think the solution provided above was helpful and satisfactory, please accept it as a Solution! However if you want to discuss it further and get yourself unblocked, please don't hesitate to reply back on this thread and we'll try to answer those queries by the soonest. In that case, once all of your queries are cleared - finally you can mark it as "Accepted as Solution"

View solution in original post

sandiban · ‎09-26-2023

Hi @pkrisztian,
Thanks for your patience so far!
Yes, in case of Service App - for the first attempt, you need to generate the Access Token & Refresh Token pair from the Service App settings page in Webex Developer Portal only. Because in Service App, you don't have the place to feed redirect URLs or, Code. Even to generate the Code - you need OAuth URL which is not available from the Service App details page.

But straight from the next time, since you already have the Refresh Token available - for generating a new Access Token programmatically using that Refresh Token the logic/flow is the same between an Integration and Service App.
You do a POST to https://webexapis.com/v1/access_token with the parameters of "grant_type":"refresh_token", "client_id": "YOUR_CLIENT_ID", "client_secret": "YOUR_CLIENT_SECRET", and "refresh_token": "YOUR_REFRESH_TOKEN".
If you're trying it from POSTMAN, for a reference I've shared a screen shot here. Hope that helps!

And, once your Refresh Token is also expired, again you've to come back to Service App Settings to generate a fresh pair of Access Token and Refresh Token.
Please let us know for any further assistance.

Regards!
Sandip

Screenshot 2023-09-26 at 1.06.11 PM.png

Please Note: If you think the solution provided above was helpful and satisfactory, please accept it as a Solution! However if you want to discuss it further and get yourself unblocked, please don't hesitate to reply back on this thread and we'll try to answer those queries by the soonest. In that case, once all of your queries are cleared - finally you can mark it as "Accepted as Solution"

aandreev · ‎05-28-2024

Hello!
I have a pretty similar issue but with Service App Guest Management.
I have an application that should take the ability for users without a Webex account to make a call (using Webex JS SDK). I used Guest Issuer and Integration making calls from Guest to Integration. But now Guest Issuer is deprecated and Service App Guest Management is recommended instead. However, there is a problem with Access Token pair generation. Yes, I can use a manually generated Refresh Token to generate Access Token programmatically. But after the Refresh Token expiration time (90 days as far as I understand) I should regenerate it manually and repeat it every 90 days. I have many isolated deployments so I need to do manual Access/Refresh Tokens updates for each. It seems like too much manual work. Maybe, there is another way for creating/updating tokens that can be implemented programmatically for now?
Thanks!

sandiban · ‎05-29-2024

Hi @aandreev,
If you want to automate the process of token generation, I can say you should follow this blog post (or, article) which has a sample in Python flask framework to generate token out of a Webex Integration (though this is not for Webex Service App) - https://developer.webex.com/blog/real-world-walkthrough-of-building-an-oauth-webex-integration

But if you want to automate the authentication process, Webex Integration is the best suited for that. With Service App, this automating part would be tricky.
Let us know in case you have any further queries.

Regards!
Sandip

aandreev · ‎05-29-2024

I already have automation for Integration. On the Integration side I can use OAuth and Access token generation by OAuth code. It already work. And as far as I understand, there are no changes in the update to Improved Meetings.
My question is about Service Application for Guest Management. On this side users don't have Webex accounts and should be joined as guests. How can I automate token generation? How can I do generation programmatically?

sandiban · ‎05-29-2024

Hi @aandreev,
Automating the authentication process with Service App won't be possible at this moment.
Because for Service App, the tool itself is an automated tool for generating the tokens and as you can find out, in Service App - you don't have the exposure to the specific fields are required to generate the Tokens since most of them are hidden in backend operation.
Except "clientId" and "clientSecret" - there are nothing much exposed unlike Webex Integration.

Let us know for any further assistance going ahead.

Regards!
Sandip

pkrisztian · ‎09-26-2023

Thank you, Sandiban. That's what I was concerned about. It seems like we might be better off with a bot to minimize the necessary steps and support from our end, making it as self-service and configurable by the customer as possible.

Regarding Service Apps, I have a question about spaces and teams. Bots can only see spaces they are members of. How about Service Apps? Can they list everything in the org, or do they need to be added to the desired spaces somehow? If so, how can I add a Service App to a space? Bots have a username, but I can't see such a field in the case of Service Apps. How does this work?

Thank you in advance!

sandiban · ‎09-26-2023

Hi @pkrisztian,
Thanks for getting back to us!
No, for Service App - there is no concept of adding it to a Webex space.
Service App would just help you to generate the Token pair with the added Scopes to it.
So, once you have the required scopes added on the Service App settings and generate the Access Token out of it after authorizing it by the Full Admin, you're good to go!

With that access token, then you can just go ahead and perform the API Requests and it should start working based on the Scopes it has. As simple as that.

So, this Service App is just an advanced version of Webex Integration, but more streamlined since you don't need to perform so many manual operations before generating the Token pair.
Otherwise, both of their functionalities are just same.
Hope that helps !

Regards!
Sandip

pkrisztian · ‎09-27-2023

Thank you for the clarifications. I just tried to get the list of rooms using the access token from my test service app but encountered the following 403 Forbidden error:

{
  "message": "The server understood the request, but refused to fulfill it because the access token is missing required scopes or the user is missing required roles or licenses.",
  "errors": [
    {
      "description": "The server understood the request, but refused to fulfill it because the access token is missing required scopes or the user is missing required roles or licenses."
    }
  ],
  "trackingId": "WEBEX-DEV-PORTAL_c8d462ad-6e62-4bfa-a3e0-a0abf8de0174_21"
}

Here are the steps I took:

I created a service app with "spark-compliance:rooms_read" and "spark-compliance:teams_read" scopes, as I understood that the simple "spark:rooms_read" is not sufficient to list all rooms in the organization.
I created a new user with the Compliance officer role.
I added and authorized my test service app with this new user.
In the app settings, under "Org Authorizations," I generated a refresh and access token pair for the organization.
I attempted to call the list-rooms endpoint using the "Try it" example in the API documentation.

Any thoughts on what I might be doing wrong here? Thank you!!

sandiban · ‎09-27-2023

Hi @pkrisztian,
Thanks for the details!
Since you mentioned you're have provided the Compliance Officer (CO) role to the User, so I believe you're trying to pull the Org level room details.
In that case, could you kindly check and confirm if you've added the scopes - "spark-compliance:rooms_read" and also the "spark:rooms_read" in your Service App Scope list.

In case you've already added these 2 scopes and still you're getting the same error, could you kindly share the details devsupport@webex.com and we can investigate the issue further.

Regards!
Sandip

pkrisztian · ‎09-28-2023

Hi @sandiban,

Yes exactly, I am trying to fetch the list of all rooms in the organization. Initially, I only had the `spark-compliance:rooms_read` scope configured, and I didn't realize that I also needed `spark:rooms_read`. I didn't come across this requirement in the documentation.

Now that I have both scopes configured, I can successfully make the call. However, I'm facing another issue. The call returns an empty list, even though I have some test spaces in my sandbox account. Is there anything else I should do to be able to list them with the service app? Sorry for bugging you with all these little questions

Thanks, Krisztián