OAuth Client Management
Creating OAuth Clients
Step-by-Step: Create an OAuth Client
Access Path:
Admin → Integrations → OAuth → Add client
OR
Menu → IT and Integrations → OAuth → Add client
Procedure:
1. Click "Add Client" Button
└─ "Add New Client" page appears
2. Enter Application Name (Required)
├─ Your application's display name
├─ Example: "Salesforce Integration Service"
├─ Visible in admin dashboard
└─ Visible in authorization screens
3. Enter Description (Optional)
├─ What the application does
├─ Example: "Syncs Salesforce contacts to Genesys every 30 minutes"
├─ Helpful for documentation
└─ Visible in admin UI
4. Select Grant Type(s)
├─ Choose one or more:
│ ├─ Client Credentials (service-to-service)
│ ├─ Code Authorization / PKCE (web/mobile apps)
│ ├─ Token Implicit Grant (DEPRECATED - don't use)
│ └─ SAML2 Bearer (enterprise SSO)
│
├─ Can select multiple grant types
├─ Each grant type has specific settings
└─ Note: Cannot select Implicit after March 2026
5. Click "Next" Button
└─ Proceed to grant-specific configuration
6. Grant-Specific Configuration:
For Client Credentials:
├─ Assign Roles (Required)
│ ├─ Select minimum roles needed
│ ├─ Available roles listed
│ ├─ Application will have these permissions
│ └─ Note: Must have roles in your profile to assign
│
├─ Assign Divisions
│ ├─ Required for role assignment
│ ├─ Roles scoped to divisions
│ ├─ Default: Home Division
│ └─ Update to appropriate divisions
│
└─ Token Duration
├─ Configurable: 300-172,800 seconds
├─ Default: 3600 seconds (1 hour)
├─ SCIM special: up to 450 days
└─ Your choice based on use case
For Authorization Code / PKCE:
├─ Token Duration
│ ├─ Configurable: 300-172,800 seconds
│ ├─ Default: 3600 seconds (1 hour)
│ └─ Recommended: 18 hours (64,800 seconds)
│
├─ Authorized Redirect URIs (Required)
│ ├─ Up to 125 URIs
│ ├─ One per line
│ ├─ Must use HTTPS
│ ├─ Example: https://yourapp.com/callback
│ ├─ Example: https://yourapps.com/auth
│ ├─ Example: http://localhost:3000/callback (dev)
│ ├─ Loopback: http://localhost/ (any port)
│ └─ MUST be exact match (case-sensitive)
│
└─ Scopes (Required)
├─ Click "Scope" button
├─ Select minimum scopes needed
├─ Space-separated in requests
├─ Example: "conversations:readonly users:readonly"
└─ Recommended: Least privilege principle
7. Click "Next" Button
└─ Review configuration
8. Review & Save
├─ Verify all settings
├─ Check OAuth name
├─ Confirm grant type(s)
├─ Verify scopes correct
└─ Click "Save"
9. Client Created Successfully
├─ System generates Client ID
├─ System generates Client Secret
├─ IMPORTANT: Copy secret immediately!
└─ Secret cannot be retrieved later
10. Display Confirmation
├─ Client Name: Your application name
├─ Client ID: Unique identifier (public)
├─ Grant Types: Selected methods
├─ Scopes: Requested permissions
├─ Created By: Your username
├─ Created Date: Timestamp
└─ Client Secret: (hidden after creation)
11. Finish
└─ Client ready to use
Typical Client Example:
Name: Salesforce Contact Sync
Grant Type: Client Credentials
Roles: External Contact Manager, Agent
Divisions: Home Division
Token Duration: 86400 (1 day)
Scopes: externalcontacts:manage
Created: 2026-03-13
Client Secret Management (Critical - March 2026 Change)
⚠️ IMPORTANT SECURITY UPDATE (March 2026)
Previous Behavior:
├─ Client secret visible in admin UI anytime
├─ Could view secret for existing clients
├─ Increased exposure risk
└─ Security concern
Current Behavior (March 2026):
├─ Client secret only shown at creation
├─ Cannot view secret after creation
├─ Must copy immediately when created
├─ Cannot retrieve via API
└─ Enhanced security
Action Required at Client Creation:
1. When Client Created:
├─ Page displays client secret
├─ Only time you see it
└─ Immediately copy and store
2. Copy Secret:
├─ Click "Copy" button
├─ OR manually select and copy
└─ Keep safe!
3. Store Secret Securely:
├─ Secure vault (recommended)
├─ Environment variables
├─ NOT in code
├─ NOT in git repository
├─ NOT in logs
└─ Encrypted storage
4. Acknowledge:
├─ Checkbox: "I have copied and stored the secret"
├─ Verify before checking
└─ Only way to proceed
5. If You Lose It:
├─ Cannot retrieve from UI
├─ Click "Generate new secret"
├─ New secret replaces old
├─ Old secret no longer works
└─ Update application immediately
Secure Storage Solutions:
HashiCorp Vault:
├─ Enterprise secret management
├─ Encryption, rotation, audit
├─ Recommended: Production environments
└─ Access via API
AWS Secrets Manager:
├─ AWS-native secret storage
├─ Encryption, rotation, audit
├─ Recommended: AWS environments
└─ IAM-based access control
Azure Key Vault:
├─ Azure-native solution
├─ Encryption, versioning
├─ Recommended: Azure environments
└─ RBAC access control
Environment Variables (Dev Only):
├─ .env file (development)
├─ Never commit to git
├─ NOT for production
├─ Simple for local development
└─ Use .gitignore
Docker Secrets:
├─ Container orchestration
├─ Swarm/Kubernetes
├─ Encrypted storage
└─ Recommended: Container deployments
Never Store:
❌ In application code
❌ In git repository
❌ In version control
❌ In logs
❌ In configuration files
❌ In plain text
❌ In comments
❌ In documentation
OAuth Client Security
Security Best Practices:
Secret Rotation:
Timeline:
├─ Rotate monthly minimum
├─ Before employee departures
├─ After any exposure
├─ If suspected compromise
└─ Automated via CI/CD
Process:
1. Generate New Secret:
├─ Click "Generate new secret"
├─ Confirm action
└─ New secret displayed once
2. Update Application:
├─ Update configuration
├─ Dual-use period: old + new both work
├─ Monitor for errors
└─ Verify new secret works
3. Verify Working:
├─ Test authentication
├─ Check logs for success
├─ No 401 errors
└─ All requests working
4. Remove Old Secret:
├─ Old automatically stops working
├─ After brief dual-use period
├─ No action needed
└─ Can't revert to old
Audit Logging:
Log These Events:
├─ OAuth client created
├─ Secret regenerated
├─ Scopes added/removed
├─ Roles assigned/removed
├─ Client deleted
├─ Access failures
└─ Unusual activity
What to Log:
├─ Timestamp
├─ Admin user
├─ Action taken
├─ Client affected
├─ Result (success/failure)
└─ NOT the secret itself
Monitoring:
Monitor For:
├─ Unexpected client creation
├─ Secret rotation outside schedule
├─ Failed authentication attempts
├─ Unusual scope usage
├─ Access pattern changes
├─ Clients not used regularly
└─ Suspicious activity
Permissions:
Who Can Create Clients?
├─ Admin users with "oauth:client:add" permission
├─ Typically: Super Admin, OAuth Admin role
└─ Verify in your organization
Who Can View Clients?
├─ Admin users
├─ Users with "oauth:client:view" permission
└─ Consider minimizing access
Who Can Delete Clients?
├─ Admin users
├─ OAuth Admin role
└─ Approval process recommended
Compliance Requirements:
HIPAA:
├─ Requires MFA for admin access
├─ 15-minute idle timeout enforced
├─ Audit logging required
└─ Client rotation documented
PCI-DSS:
├─ Secure secret storage required
├─ No hardcoded secrets
├─ Regular rotation required
└─ Access control required
SOC 2:
├─ Audit trails for all changes
├─ Access control enforcement
├─ Change management process
└─ Incident response documented
GDPR:
├─ Data processing log required
├─ Right to access supported via API
├─ Data retention policies
└─ Deletion/export capabilities
OAuth Client Lifecycle
Stages:
1. Creation
├─ Admin creates client
├─ Scopes assigned
├─ Roles assigned (if Client Credentials)
├─ Secret generated
└─ Client ID provided
2. Configuration
├─ Redirect URIs registered (if Auth Code)
├─ Scopes finalized
├─ Token duration set
└─ Roles/divisions confirmed
3. Usage
├─ Applications authenticate with client
├─ Users authorize app (if Code grant)
├─ Tokens issued and used
├─ API calls made
└─ Regular operations
4. Monitoring
├─ Track usage patterns
├─ Monitor authentication success
├─ Alert on anomalies
├─ Quarterly scope review
└─ Annual security audit
5. Maintenance
├─ Rotate secrets monthly
├─ Update scopes as needed
├─ Verify still in use
├─ Remove unused clients
└─ Document changes
6. Deactivation
├─ Determine if still needed
├─ Plan removal
├─ Notify application owners
├─ Provide replacement if needed
└─ Allow migration period
7. Deletion
├─ Remove old client
├─ Tokens immediately invalid
├─ Applications get 401 errors
├─ Audit log records deletion
└─ Cannot be recovered
Timeline:
Creation → Configuration → Usage → Monitoring → Maintenance → Deactivation → Deletion
0 days 1 day Day 1+ Day 30+ Day 30+ Day 365+ Day 380+
Common OAuth Client Configurations
Configuration 1: Web Application (Node.js + React)
Grant Type: Authorization Code
Redirect URIs:
├─ https://yourapp.com/callback
├─ https://yourapp.com/auth
└─ http://localhost:3000/callback (dev)
Scopes:
├─ conversations:readonly
├─ users:readonly
└─ presence:manage
Token Duration: 3600 (1 hour)
Use Case:
├─ User logs in via browser
├─ Backend handles token exchange
├─ Backend stores refresh token
└─ User can revoke access anytime
Configuration 2: Service Integration (Salesforce Sync)
Grant Type: Client Credentials
Roles:
├─ External Contact Manager
└─ Scheduler (if needed)
Divisions: Home Division
Scopes:
├─ externalcontacts:manage
├─ users:readonly
└─ scheduling:readonly
Token Duration: 86400 (1 day)
Use Case:
├─ Automated sync service
├─ No user interaction
├─ Runs on schedule
└─ Application acts as itself
Configuration 3: Mobile App with Backend
Grant Type: Authorization Code + PKCE
Redirect URIs:
├─ myapp://oauth/callback
├─ https://myapp.com/callback
└─ http://localhost:3000/callback (dev)
Scopes:
├─ conversations:readonly
├─ conversations:call:control
├─ users:readonly
└─ presence:manage
Token Duration: 3600 (1 hour)
Use Case:
├─ Mobile app user login
├─ PKCE for public client security
├─ Backend stores refresh token
└─ App cannot store client_secret
Configuration 4: Single-Page Application (SPA)
Grant Type: Authorization Code + PKCE
Redirect URIs:
├─ https://yourapp.com/
├─ https://yourapp.com/callback
└─ http://localhost:3000/ (dev)
Scopes:
├─ conversations:readonly
├─ users:readonly
└─ presence:manage
Token Duration: 3600 (1 hour)
Use Case:
├─ JavaScript SPA
├─ No backend (serverless)
├─ PKCE prevents code interception
├─ Tokens stored in memory only
Configuration 5: Bot/Virtual Agent
Grant Type: Client Credentials
Roles:
├─ Agent
└─ Virtual Agent (if available)
Divisions: Home Division
Scopes:
├─ conversations:readonly
├─ conversations:external:contact:add
├─ knowledge:readonly
└─ users:readonly
Token Duration: 86400 (1 day)
Use Case:
├─ Chatbot integration
├─ No user context
├─ Reads knowledge base
└─ Fully automated
Configuration 6: Admin Tool/Dashboard
Grant Type: Authorization Code
Redirect URIs:
├─ https://admin.yourcompany.com/callback
└─ http://localhost:8080/callback (dev)
Scopes:
├─ users:manage
├─ roles:manage
├─ oauth:client:manage
└─ admin:org:manage
Token Duration: 3600 (1 hour)
Use Case:
├─ Admin portal
├─ Full management capabilities
├─ User authentication
└─ Administrative access control
Troubleshooting OAuth Clients
Problem: Client Creation Fails
Check:
├─ Permission: Do you have oauth:client:add?
├─ Roles: Do you have the roles you're assigning?
├─ Scopes: Are scope names spelled correctly?
└─ Divisions: Do divisions exist?
Solution:
├─ Request oauth:client:add permission
├─ Use roles you have assigned
├─ Check scope names in API Explorer
└─ Use existing divisions
Problem: Client Secret Lost/Forgotten
Cannot Retrieve:
├─ Old secret: Cannot view (security feature)
├─ No recovery method
├─ No admin override
└─ Design for security
Solution:
├─ Generate new secret
├─ Update application
├─ Delete old client if not needed
└─ Document in future
Steps:
1. Click "Generate new secret"
2. Copy new secret
3. Update application config
4. Test authentication
5. Verify working
Problem: 401 Unauthorized on API Calls
Possible Causes:
├─ Token expired: Get fresh token
├─ Token revoked: Authenticate again
├─ Client credentials wrong: Check spelling
├─ Client no longer exists: Recreate
└─ Secret wrong: Regenerate
Troubleshooting:
1. Check token hasn't expired
2. Try authenticating again (fresh token)
3. Verify client_id and client_secret spelling
4. Check client exists in Admin UI
5. If regenerated secret, update application
6. Monitor logs for pattern
Problem: Scopes Not Working
User Still Can't Access API:
Causes:
├─ Wrong scope name
├─ User missing permission
├─ Token doesn't have scope
├─ Both scope and permission needed
└─ Other 403 reason
Check:
1. API Explorer: What scope required?
2. Token: Does it have that scope?
3. User: Does user have role permission?
4. Both: Scope AND permission needed
5. 403 error: One or both missing
Problem: Application Not Working After Update
Something Changed:
Check:
├─ Secret regenerated? Update app config
├─ Scopes changed? Users must re-authorize
├─ Roles changed? Token might lack permission
├─ Token duration changed? Should still work
└─ Redirect URI changed? Registration needed
Fix:
├─ If secret: Update app immediately
├─ If scopes: Get new token (user re-auth)
├─ If roles: Assign correct roles
└─ If URI: Re-register in Admin UI
Best Practices: OAuth Client Management
Security:
□ Store secrets in secure vault
□ Rotate monthly minimum
□ Never commit to git
□ Use environment variables
□ Encrypt at rest and in transit
□ Audit all changes
□ Monitor for anomalies
□ Principle of least privilege
Operations:
□ Document each client's purpose
□ Keep contact info for app owner
□ Review quarterly
□ Remove unused clients
□ Plan secret rotation schedule
□ Test after any changes
□ Verify working regularly
□ Monitor token usage
Compliance:
□ Meet HIPAA requirements
□ Meet PCI-DSS requirements
□ Meet SOC 2 requirements
□ Document compliance steps
□ Keep audit logs
□ Review permissions quarterly
□ Maintain change log
□ Plan for incidents
Key Takeaways: Chapter 6
- Admin-Only Access - Only admins can create OAuth clients
- Secret View-Once - Client secret only shown at creation (March 2026 change)
- Secure Storage Required - Use vault, not code/git/environment
- Monthly Rotation - Standard practice for secret updates
- Dual Grant Types - Can select multiple grant types per client
- Role & Scope - Both required for Client Credentials
- Redirect URIs - Must be exact match (case-sensitive)
- Audit Everything - Log client creation, secret rotation, deletions
Interview Prep: OAuth Client Management
| Question | Answer |
|---|---|
| Where create OAuth client? | Admin → Integrations → OAuth → Add client |
| Who can create? | Users with oauth:client:add permission |
| Client secret visibility? | Only shown once at creation (March 2026 change) |
| If secret lost? | Generate new secret, update application |
| Secret storage? | Secure vault (HashiCorp, AWS, Azure) |
| Secret rotation? | Monthly minimum, before departures, after exposure |
| Redirect URIs? | Up to 125, must be HTTPS, exact match required |
| Scopes required? | Yes, principle of least privilege |
| Token duration? | Default 1 hour, configurable 300-172,800 seconds |
| Client deletion? | Immediate, tokens invalid, can't recover |
Document Version
Chapter: 6 of 8
Last Updated: March 2026
Status: Current with OAuth 2.0 standards
Scope: Client creation, management, security
No Comments