Does the NICE CXone authorization service support OAuth 2?
Yes, CXone authorization is based on OAuth 2 and OpenID Connect. For user authentication the authorization code method is used, for back-end integrations the resource owner password method is used.
What authorization type should I choose for my application?
Applications that provide a user interface must use the authorization code method. Back-end integrations that do not have a user interface must use the resource owner password method.
What should I do when I receive a “token expired” response?
Each token contains an expiration period in the response. Before that expiration time new tokens must be obtained. There is a refresh flow available that is documented
here.
Does the NICE CXone API authorization service support all OAuth2 "grant types"?
In the current version of the NICE CXone API Framework, only the Implicit, Password and Client OAuth "grant types" are supported. Support for the Authorization Code grant type will be added in a future release.
What authorization type should I choose for my application?
Each supported OAuth2 grant type is designed for optimal security and usability of specific types of applications:
Implicit : Best for browser client applications or web applications that run on a server.
Password : Best for applications that are not web-based.
Client : Best for applications that do not access resources for a specific authenticated user.
For more specific information on tokens, see the
GettingStarted tutorial for details.
What should I do when I receive a "token expired" response?
Password and Client tokens are generally set to expire after an hour. When a token has expired, using the token with an API call will generate an error. Your application must then re-request a new token. This can be done by sending the authorization key again (for the Password and Client grant types), or by using a
refresh_token to request a new API token (for the Implicit grant type). The
refresh_token is provided with the API token when the API token is initially granted. Your application can store the refresh token for use when it is notified by the NICE CXone API Framework that your API token has expired. To learn more, see the
Getting Started tutorial.
Why would I get "403 Forbidden" return code when using a valid token?
This can occur when you are using "Client" authentication type to call APIs that require an "Implicit" or "Password" authentication type.