Hello. I am an embedded services developer working on customizing the Genesys Cloud Web Messaging widget for our enterprise portal. We require all users to be authenticated before they can initiate a chat. Our corporate identity provider uses OIDC (OpenID Connect). I have configured the Messenger deployment to require authentication and provided the JWKS URI. However, when I pass the JWT from our IdP to the AuthProvider plugin in the Messenger snippet, the widget fails to initialize with a “401 Unauthorized” error. I have verified the token signature using a third-party tool and it is valid. Are there specific claims that the Genesys Cloud authentication service strictly requires in the JWT payload for OIDC authentication to succeed?
Yes. Genesys Cloud strictly requires the sub (subject), iss (issuer), and aud (audience) claims. The iss and aud in your JWT must match exactly what you configured in the Messenger integration settings. If your IdP is sending an aud that is an array instead of a single string, the validation will fail.
Also verify the exp (expiration) and iat (issued at) claims. We ran into this during our predictive routing beta when passing tokens. If your IdP server’s clock is skewed even slightly ahead of the Genesys Cloud servers, the iat might be evaluated as “in the future” and rejected immediately. Ensure your IdP is using NTP synchronization.