We’ve finally pushed our org into mandatory SAML SSO mode. The user login experience is sorted, but now our internal tools that rely on the standard OAuth2 client credentials flow are dropping dead.
Specifically, the urn:genesys:cloud:iam:client scope requests are returning a 401 Unauthorized with a body that just says {"code":"unauthorized","message":"invalid_client"}.
I was under the impression that API clients and SAML users lived in separate lanes. The docs mention that SAML doesn’t affect machine-to-machine auth, but clearly something changed in the IAM config when we toggled the SSO setting.
Here’s the basic curl I’m running from our CI/CD runner:
curl -X POST https://{{org}}.mypurecloud.com/oauth/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials&scope=urn:genesys:cloud:iam:client"
The client ID and secret are correct (they worked yesterday). I’ve checked the IAM roles for the client, and they still have the necessary permissions. Is there a hidden dependency between the SAML provider config and the OAuth client trust settings? Or do I need to re-register the client after the SSO switch?
Feeling like I’m missing a config flag somewhere in the admin console.