Guides

Authentication

Security Model

InfinityElements seamlessly inherit authentication from the parent Infinity Desktop session through a secure, coordinated authentication flow.

Session Inheritance

When an InfinityElement loads within the Infinity Agent Desktop, it automatically has access to the authenticated agent's session context via the Component API. No additional login is required for accessing framework APIs.

Agent Context Access

The Component API provides authenticated access to:

const api = new ComponentAPI();

// Get authenticated user information
const userInfo = await api.getUserInfo();
console.log('Agent:', userInfo.displayName);
console.log('User ID:', userInfo.userId);
console.log('Email:', userInfo.email);
console.log('Queues:', userInfo.queues);

JWT Token Access for External APIs

For InfinityElements that need to communicate with external systems, the framework provides secure JWT token retrieval:

// Retrieve Avaya JWT for external API calls  
const jwt = await api.getAvayaJwt({  
redirectUri: '<https://your-app.com/callback'>  
});

// Use token for authenticated external requests  
const response = await fetch('<https://api.example.com/data'>, {  
headers: {  
Authorization: `Bearer ${jwt}`  
}  
});

Cross-Iframe Coordination

When multiple InfinityElements request authentication simultaneously:

  • Only ONE OAuth popup window appears
  • All components receive the same token
  • Tokens are cached in localStorage for instant retrieval
  • Automatic request deduplication prevents redundant authentication flows

API Security

Communication Protocol

All API calls between InfinityElements and the Infinity Desktop use:

  • window.postMessage with structured message format
  • Origin validation on all received messages
  • Request/response correlation via unique request IDs
  • Configurable timeout handling (default: 5000ms)

Token Management

JWT tokens are managed automatically
const jwt = await api.getAvayaJwt();
Features:

  • Cached in localStorage for persistence

  • PKCE flow prevents authorization code interception

  • No client secret required (public client)

  • Automatic popup coordination across components

API Request Validation

All Component API methods validate:

  • Request parameters before sending

  • Response structure and types

  • Error handling with detailed error codes

Error Handling Pattern

try {
await api.setAgentStatus(userId, 'Available');
} catch (error) {
// Structured error with code and message
console.error('Error code:', error.code);
console.error('Error message:', error.message);
}

// Or subscribe to all errors
api.onError((error) => {
console.error('API Error:', error.code, error.message);
});

Updated 2 months ago