OAuth Client Management

Creating OAuth Clients 
 Step-by-Step: Create an OAuth Client 
 Access Path:
Admin → Integrations → OAuth → Add client
OR
Menu → IT and Integrations → OAuth → Add client

Procedure:

1. Click "Add Client" Button
 └─ "Add New Client" page appears

2. Enter Application Name (Required)
 ├─ Your application's display name
 ├─ Example: "Salesforce Integration Service"
 ├─ Visible in admin dashboard
 └─ Visible in authorization screens

3. Enter Description (Optional)
 ├─ What the application does
 ├─ Example: "Syncs Salesforce contacts to Genesys every 30 minutes"
 ├─ Helpful for documentation
 └─ Visible in admin UI

4. Select Grant Type(s)
 ├─ Choose one or more:
 │ ├─ Client Credentials (service-to-service)
 │ ├─ Code Authorization / PKCE (web/mobile apps)
 │ ├─ Token Implicit Grant (DEPRECATED - don't use)
 │ └─ SAML2 Bearer (enterprise SSO)
 │
 ├─ Can select multiple grant types
 ├─ Each grant type has specific settings
 └─ Note: Cannot select Implicit after March 2026

5. Click "Next" Button
 └─ Proceed to grant-specific configuration

6. Grant-Specific Configuration:

 For Client Credentials:
 ├─ Assign Roles (Required)
 │ ├─ Select minimum roles needed
 │ ├─ Available roles listed
 │ ├─ Application will have these permissions
 │ └─ Note: Must have roles in your profile to assign
 │
 ├─ Assign Divisions
 │ ├─ Required for role assignment
 │ ├─ Roles scoped to divisions
 │ ├─ Default: Home Division
 │ └─ Update to appropriate divisions
 │
 └─ Token Duration
 ├─ Configurable: 300-172,800 seconds
 ├─ Default: 3600 seconds (1 hour)
 ├─ SCIM special: up to 450 days
 └─ Your choice based on use case

 For Authorization Code / PKCE:
 ├─ Token Duration
 │ ├─ Configurable: 300-172,800 seconds
 │ ├─ Default: 3600 seconds (1 hour)
 │ └─ Recommended: 18 hours (64,800 seconds)
 │
 ├─ Authorized Redirect URIs (Required)
 │ ├─ Up to 125 URIs
 │ ├─ One per line
 │ ├─ Must use HTTPS
 │ ├─ Example: https://yourapp.com/callback
 │ ├─ Example: https://yourapps.com/auth
 │ ├─ Example: http://localhost:3000/callback (dev)
 │ ├─ Loopback: http://localhost/ (any port)
 │ └─ MUST be exact match (case-sensitive)
 │
 └─ Scopes (Required)
 ├─ Click "Scope" button
 ├─ Select minimum scopes needed
 ├─ Space-separated in requests
 ├─ Example: "conversations:readonly users:readonly"
 └─ Recommended: Least privilege principle

7. Click "Next" Button
 └─ Review configuration

8. Review & Save
 ├─ Verify all settings
 ├─ Check OAuth name
 ├─ Confirm grant type(s)
 ├─ Verify scopes correct
 └─ Click "Save"

9. Client Created Successfully
 ├─ System generates Client ID
 ├─ System generates Client Secret
 ├─ IMPORTANT: Copy secret immediately!
 └─ Secret cannot be retrieved later

10. Display Confirmation
 ├─ Client Name: Your application name
 ├─ Client ID: Unique identifier (public)
 ├─ Grant Types: Selected methods
 ├─ Scopes: Requested permissions
 ├─ Created By: Your username
 ├─ Created Date: Timestamp
 └─ Client Secret: (hidden after creation)

11. Finish
 └─ Client ready to use

Typical Client Example:

Name: Salesforce Contact Sync
Grant Type: Client Credentials
Roles: External Contact Manager, Agent
Divisions: Home Division
Token Duration: 86400 (1 day)
Scopes: externalcontacts:manage
Created: 2026-03-13
 
 
 Client Secret Management (Critical - March 2026 Change) 
 ⚠️ IMPORTANT SECURITY UPDATE (March 2026)

Previous Behavior:
├─ Client secret visible in admin UI anytime
├─ Could view secret for existing clients
├─ Increased exposure risk
└─ Security concern

Current Behavior (March 2026):
├─ Client secret only shown at creation
├─ Cannot view secret after creation
├─ Must copy immediately when created
├─ Cannot retrieve via API
└─ Enhanced security

Action Required at Client Creation:

1. When Client Created:
 ├─ Page displays client secret
 ├─ Only time you see it
 └─ Immediately copy and store

2. Copy Secret:
 ├─ Click "Copy" button
 ├─ OR manually select and copy
 └─ Keep safe!

3. Store Secret Securely:
 ├─ Secure vault (recommended)
 ├─ Environment variables
 ├─ NOT in code
 ├─ NOT in git repository
 ├─ NOT in logs
 └─ Encrypted storage

4. Acknowledge:
 ├─ Checkbox: "I have copied and stored the secret"
 ├─ Verify before checking
 └─ Only way to proceed

5. If You Lose It:
 ├─ Cannot retrieve from UI
 ├─ Click "Generate new secret"
 ├─ New secret replaces old
 ├─ Old secret no longer works
 └─ Update application immediately

Secure Storage Solutions:

HashiCorp Vault:
├─ Enterprise secret management
├─ Encryption, rotation, audit
├─ Recommended: Production environments
└─ Access via API

AWS Secrets Manager:
├─ AWS-native secret storage
├─ Encryption, rotation, audit
├─ Recommended: AWS environments
└─ IAM-based access control

Azure Key Vault:
├─ Azure-native solution
├─ Encryption, versioning
├─ Recommended: Azure environments
└─ RBAC access control

Environment Variables (Dev Only):
├─ .env file (development)
├─ Never commit to git
├─ NOT for production
├─ Simple for local development
└─ Use .gitignore

Docker Secrets:
├─ Container orchestration
├─ Swarm/Kubernetes
├─ Encrypted storage
└─ Recommended: Container deployments

Never Store:
❌ In application code
❌ In git repository
❌ In version control
❌ In logs
❌ In configuration files
❌ In plain text
❌ In comments
❌ In documentation
 
 
 OAuth Client Security 
 Security Best Practices:

Secret Rotation:

Timeline:
├─ Rotate monthly minimum
├─ Before employee departures
├─ After any exposure
├─ If suspected compromise
└─ Automated via CI/CD

Process:

1. Generate New Secret:
 ├─ Click "Generate new secret"
 ├─ Confirm action
 └─ New secret displayed once

2. Update Application:
 ├─ Update configuration
 ├─ Dual-use period: old + new both work
 ├─ Monitor for errors
 └─ Verify new secret works

3. Verify Working:
 ├─ Test authentication
 ├─ Check logs for success
 ├─ No 401 errors
 └─ All requests working

4. Remove Old Secret:
 ├─ Old automatically stops working
 ├─ After brief dual-use period
 ├─ No action needed
 └─ Can't revert to old

Audit Logging:

Log These Events:
├─ OAuth client created
├─ Secret regenerated
├─ Scopes added/removed
├─ Roles assigned/removed
├─ Client deleted
├─ Access failures
└─ Unusual activity

What to Log:
├─ Timestamp
├─ Admin user
├─ Action taken
├─ Client affected
├─ Result (success/failure)
└─ NOT the secret itself

Monitoring:

Monitor For:
├─ Unexpected client creation
├─ Secret rotation outside schedule
├─ Failed authentication attempts
├─ Unusual scope usage
├─ Access pattern changes
├─ Clients not used regularly
└─ Suspicious activity

Permissions:

Who Can Create Clients?
├─ Admin users with "oauth:client:add" permission
├─ Typically: Super Admin, OAuth Admin role
└─ Verify in your organization

Who Can View Clients?
├─ Admin users
├─ Users with "oauth:client:view" permission
└─ Consider minimizing access

Who Can Delete Clients?
├─ Admin users
├─ OAuth Admin role
└─ Approval process recommended

Compliance Requirements:

HIPAA:
├─ Requires MFA for admin access
├─ 15-minute idle timeout enforced
├─ Audit logging required
└─ Client rotation documented

PCI-DSS:
├─ Secure secret storage required
├─ No hardcoded secrets
├─ Regular rotation required
└─ Access control required

SOC 2:
├─ Audit trails for all changes
├─ Access control enforcement
├─ Change management process
└─ Incident response documented

GDPR:
├─ Data processing log required
├─ Right to access supported via API
├─ Data retention policies
└─ Deletion/export capabilities
 
 
 OAuth Client Lifecycle 
 Stages:

1. Creation
 ├─ Admin creates client
 ├─ Scopes assigned
 ├─ Roles assigned (if Client Credentials)
 ├─ Secret generated
 └─ Client ID provided

2. Configuration
 ├─ Redirect URIs registered (if Auth Code)
 ├─ Scopes finalized
 ├─ Token duration set
 └─ Roles/divisions confirmed

3. Usage
 ├─ Applications authenticate with client
 ├─ Users authorize app (if Code grant)
 ├─ Tokens issued and used
 ├─ API calls made
 └─ Regular operations

4. Monitoring
 ├─ Track usage patterns
 ├─ Monitor authentication success
 ├─ Alert on anomalies
 ├─ Quarterly scope review
 └─ Annual security audit

5. Maintenance
 ├─ Rotate secrets monthly
 ├─ Update scopes as needed
 ├─ Verify still in use
 ├─ Remove unused clients
 └─ Document changes

6. Deactivation
 ├─ Determine if still needed
 ├─ Plan removal
 ├─ Notify application owners
 ├─ Provide replacement if needed
 └─ Allow migration period

7. Deletion
 ├─ Remove old client
 ├─ Tokens immediately invalid
 ├─ Applications get 401 errors
 ├─ Audit log records deletion
 └─ Cannot be recovered

Timeline:

Creation → Configuration → Usage → Monitoring → Maintenance → Deactivation → Deletion
0 days 1 day Day 1+ Day 30+ Day 30+ Day 365+ Day 380+
 
 
 Common OAuth Client Configurations 
 Configuration 1: Web Application (Node.js + React)

Grant Type: Authorization Code
Redirect URIs:
├─ https://yourapp.com/callback
├─ https://yourapp.com/auth
└─ http://localhost:3000/callback (dev)

Scopes:
├─ conversations:readonly
├─ users:readonly
└─ presence:manage

Token Duration: 3600 (1 hour)

Use Case:
├─ User logs in via browser
├─ Backend handles token exchange
├─ Backend stores refresh token
└─ User can revoke access anytime

Configuration 2: Service Integration (Salesforce Sync)

Grant Type: Client Credentials
Roles:
├─ External Contact Manager
└─ Scheduler (if needed)

Divisions: Home Division

Scopes:
├─ externalcontacts:manage
├─ users:readonly
└─ scheduling:readonly

Token Duration: 86400 (1 day)

Use Case:
├─ Automated sync service
├─ No user interaction
├─ Runs on schedule
└─ Application acts as itself

Configuration 3: Mobile App with Backend

Grant Type: Authorization Code + PKCE
Redirect URIs:
├─ myapp://oauth/callback
├─ https://myapp.com/callback
└─ http://localhost:3000/callback (dev)

Scopes:
├─ conversations:readonly
├─ conversations:call:control
├─ users:readonly
└─ presence:manage

Token Duration: 3600 (1 hour)

Use Case:
├─ Mobile app user login
├─ PKCE for public client security
├─ Backend stores refresh token
└─ App cannot store client_secret

Configuration 4: Single-Page Application (SPA)

Grant Type: Authorization Code + PKCE
Redirect URIs:
├─ https://yourapp.com/
├─ https://yourapp.com/callback
└─ http://localhost:3000/ (dev)

Scopes:
├─ conversations:readonly
├─ users:readonly
└─ presence:manage

Token Duration: 3600 (1 hour)

Use Case:
├─ JavaScript SPA
├─ No backend (serverless)
├─ PKCE prevents code interception
├─ Tokens stored in memory only

Configuration 5: Bot/Virtual Agent

Grant Type: Client Credentials
Roles:
├─ Agent
└─ Virtual Agent (if available)

Divisions: Home Division

Scopes:
├─ conversations:readonly
├─ conversations:external:contact:add
├─ knowledge:readonly
└─ users:readonly

Token Duration: 86400 (1 day)

Use Case:
├─ Chatbot integration
├─ No user context
├─ Reads knowledge base
└─ Fully automated

Configuration 6: Admin Tool/Dashboard

Grant Type: Authorization Code
Redirect URIs:
├─ https://admin.yourcompany.com/callback
└─ http://localhost:8080/callback (dev)

Scopes:
├─ users:manage
├─ roles:manage
├─ oauth:client:manage
└─ admin:org:manage

Token Duration: 3600 (1 hour)

Use Case:
├─ Admin portal
├─ Full management capabilities
├─ User authentication
└─ Administrative access control
 
 
 Troubleshooting OAuth Clients 
 Problem: Client Creation Fails

Check:
├─ Permission: Do you have oauth:client:add?
├─ Roles: Do you have the roles you're assigning?
├─ Scopes: Are scope names spelled correctly?
└─ Divisions: Do divisions exist?

Solution:
├─ Request oauth:client:add permission
├─ Use roles you have assigned
├─ Check scope names in API Explorer
└─ Use existing divisions

Problem: Client Secret Lost/Forgotten

Cannot Retrieve:
├─ Old secret: Cannot view (security feature)
├─ No recovery method
├─ No admin override
└─ Design for security

Solution:
├─ Generate new secret
├─ Update application
├─ Delete old client if not needed
└─ Document in future

Steps:
1. Click "Generate new secret"
2. Copy new secret
3. Update application config
4. Test authentication
5. Verify working

Problem: 401 Unauthorized on API Calls

Possible Causes:
├─ Token expired: Get fresh token
├─ Token revoked: Authenticate again
├─ Client credentials wrong: Check spelling
├─ Client no longer exists: Recreate
└─ Secret wrong: Regenerate

Troubleshooting:
1. Check token hasn't expired
2. Try authenticating again (fresh token)
3. Verify client_id and client_secret spelling
4. Check client exists in Admin UI
5. If regenerated secret, update application
6. Monitor logs for pattern

Problem: Scopes Not Working

User Still Can't Access API:

Causes:
├─ Wrong scope name
├─ User missing permission
├─ Token doesn't have scope
├─ Both scope and permission needed
└─ Other 403 reason

Check:
1. API Explorer: What scope required?
2. Token: Does it have that scope?
3. User: Does user have role permission?
4. Both: Scope AND permission needed
5. 403 error: One or both missing

Problem: Application Not Working After Update

Something Changed:

Check:
├─ Secret regenerated? Update app config
├─ Scopes changed? Users must re-authorize
├─ Roles changed? Token might lack permission
├─ Token duration changed? Should still work
└─ Redirect URI changed? Registration needed

Fix:
├─ If secret: Update app immediately
├─ If scopes: Get new token (user re-auth)
├─ If roles: Assign correct roles
└─ If URI: Re-register in Admin UI
 
 
 Best Practices: OAuth Client Management 
 Security:
□ Store secrets in secure vault
□ Rotate monthly minimum
□ Never commit to git
□ Use environment variables
□ Encrypt at rest and in transit
□ Audit all changes
□ Monitor for anomalies
□ Principle of least privilege

Operations:
□ Document each client's purpose
□ Keep contact info for app owner
□ Review quarterly
□ Remove unused clients
□ Plan secret rotation schedule
□ Test after any changes
□ Verify working regularly
□ Monitor token usage

Compliance:
□ Meet HIPAA requirements
□ Meet PCI-DSS requirements
□ Meet SOC 2 requirements
□ Document compliance steps
□ Keep audit logs
□ Review permissions quarterly
□ Maintain change log
□ Plan for incidents
 
 
 Key Takeaways: Chapter 6 
 
 Admin-Only Access - Only admins can create OAuth clients 
 Secret View-Once - Client secret only shown at creation (March 2026 change) 
 Secure Storage Required - Use vault, not code/git/environment 
 Monthly Rotation - Standard practice for secret updates 
 Dual Grant Types - Can select multiple grant types per client 
 Role & Scope - Both required for Client Credentials 
 Redirect URIs - Must be exact match (case-sensitive) 
 Audit Everything - Log client creation, secret rotation, deletions 
 
 
 Interview Prep: OAuth Client Management 
 
 
 
 Question 
 Answer 
 
 
 
 
 Where create OAuth client? 
 Admin → Integrations → OAuth → Add client 
 
 
 Who can create? 
 Users with oauth:client:add permission 
 
 
 Client secret visibility? 
 Only shown once at creation (March 2026 change) 
 
 
 If secret lost? 
 Generate new secret, update application 
 
 
 Secret storage? 
 Secure vault (HashiCorp, AWS, Azure) 
 
 
 Secret rotation? 
 Monthly minimum, before departures, after exposure 
 
 
 Redirect URIs? 
 Up to 125, must be HTTPS, exact match required 
 
 
 Scopes required? 
 Yes, principle of least privilege 
 
 
 Token duration? 
 Default 1 hour, configurable 300-172,800 seconds 
 
 
 Client deletion? 
 Immediate, tokens invalid, can't recover 
 
 
 
 
 Document Version 
 Chapter : 6 of 8 
 Last Updated : March 2026 
 Status : Current with OAuth 2.0 standards 
 Scope : Client creation, management, security