We are setting up a custom agent desktop extension using the Embeddable Client App SDK. The tricky part is that we operate in a BPO model where multiple clients share the same Genesys Cloud instance but are separated by divisions. We need our OAuth client to only access data within the specific client division, not across the entire org.
I’ve tried setting the scopes in the genesys-cloud-purecloud-gc-auth library configuration, but it seems to ignore division-level restrictions. Here is the config object I am passing:
const config = {
clientId: 'my-client-id',
scope: 'agent:session:write division:read',
redirectUri: 'https://myapp.com/callback'
};
The token comes back fine, but when I hit the /api/v2/users/me endpoint, I can see users from other divisions. This is a security risk. I know there are tenant settings for division isolation, but I need this handled at the OAuth client level if possible.
- Using .NET 8 for the backend service
- Genesys Cloud API v2
- Embeddable Client App SDK v2.5
- Division isolation is enabled in tenant settings
Has anyone managed to scope an OAuth client to specific divisions? Or is the only way to filter results after fetching them?