We’ve finally pushed our SAML SSO integration to production for agent login, which is great for the user experience. However, our custom agent desktop wrapper is now failing to refresh access tokens for background API calls. The app relies on the Embeddable Client App SDK to maintain a persistent connection for screen pops and real-time state updates.
Previously, we used a simple OAuth client credentials grant. Now that SAML is enforced, the /oauth/token endpoint returns a 400 Bad Request with the error message: invalid_grant: SSO is required for this client.
Here is the code block where the failure occurs in our token refresh logic:
async function refreshToken() {
const response = await fetch(`${genesysCloudUrl}/oauth/token`, {
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded',
'Authorization': 'Basic ' + btoa(`${clientId}:${clientSecret}`)
},
body: 'grant_type=client_credentials&scope=conversation:read' // simplified for brevity
});
if (!response.ok) {
const errorData = await response.json();
console.error('Token refresh failed:', errorData);
throw new Error(errorData.error_description);
}
return response.json();
}
I understand that SAML requires an interactive login flow or a specific SAML assertion exchange. But this wrapper needs to run unattended processes, like updating custom attributes or fetching queue stats, without forcing the agent to re-authenticate manually.
Is there a way to configure the OAuth client to allow both SAML for user sessions and standard client credentials for backend services? I’ve checked the client settings in the UI, but there’s no obvious toggle to exempt certain scopes from SAML enforcement.
We’ve tried using the authorization_code flow with a PKCE code, but managing the redirect URI in a desktop app context is messy and breaks the smooth experience we’re aiming for.
Any insights on how other teams have handled this dual-auth requirement? We’re stuck between a rock and a hard place here.