Webex OAuth Device Grant Flow / Device Token endpoint requires Auth

matixmedia · ‎02-04-2025

I am currently trying to build a client app for webex. I do not want to route the user through my own server to authenticate them, so I am going for the Device Grant Flow. Now, as I discovered, to poll the device token endpoint (POST https://webexapis.com/v1/device/token) I need to pass an Authorization header which includes my integrations client secret. This confuses me since this does not seem to match the OAuth specs and prevents me from authenticating the user without going through a private server. Is that an error in the documentation or is it simply prohibited to grant devices without a private server?

Thanks in advance.

sandiban · ‎02-05-2025

Hi @matixmedia,
Could you kindly share us what exactly the error you're getting.
May be you can share the POSTMAN screenshot while trying to run the request so that we can understand what exactly the payload looks like.

Regards!
Sandip

matixmedia · ‎02-05-2025

Hi @sandiban,

I think there is a misunderstanding. I am not really experiencing an error.

I was wondering why there is an Authorization (client Secret) required to hit the /device/token endpoint. This prevents me wrong writing a client app that only talks to WebEx directly. As of right now, I would need to implement an ID-Broker that I host myself in order to securely store my client Secret and authorize users against WebEx.

The reason this wonders me is, that normally you do not require Authorization to hit the /device/token endpoint (in other OAuth implementations).

I've attached a screenshot for visualization.