Question

JWT Authentication actity for Mashup - not authorized to open instance DATA-ADMIN-SECURITY-TOKEN

Hi All

We have a need to authenticate mashup users by means of a JSON Web Token (JWT). Many of the moving parts of the solution are working. The part where I am stuck is where I need to validate the JWT. I have a working Token Profile that I tested with pxProcessJWT, but when I try to do an Obj-Open on it so that I can use JwtUtils.processJSONWebToken(...), I get an error:

"Error in Obj-Open
com.pega.pegarules.pub.database.AuthorizationException: You are not authorized to open instance DATA-ADMIN-SECURITY-TOKEN <my token name>"

Obviously the current user is unauthenticated, so it looks like I would need to modify the PegaRULES:Guest access role to allow this. Which in turn would mean unlocking the PegaRULES:08-01-01 ruleset.

Does anyone know of a better way? I don't want to resort to adding a lot of custom Java to go around this obstacle.

***Edited by Moderator Marissa to update platform capability tags****

Correct Answer
April 16, 2019 - 4:39am

I resolved this by creating a new Access Role authorized to open instance DATA-ADMIN-SECURITY-TOKEN and adding it to the Gateway:Unauthenticated access group.

Comments

Keep up to date on this post and subscribe to comments

April 15, 2019 - 2:25pm

I don't think unauthorized AG is the key here - nor should you ever be messing with it. Also, what makes you think PegaRULES:Guest is in play here?

Are you coding something that will be part of an application or are you just testing? Will the code need to run in a browser requestor, batch requestor and/or an APP requestor. 

Show me what you've got for code and I'll test on my system with my own token.

 

 

April 16, 2019 - 1:42am
Response to PaulGentile_GCS

Thanks for the reply. PegaRULES:Guest is just a guess. I am not just testing. This will be part of an application. There is not much code yet. To reproduce what I am doing - 

1. Create a token profile for processing and test it with pxProcessJWT

2. Create a custom servlet in web.xml that is a duplicate of IAC, but with a custom AuthService.

3. Create a mashup with the url pointing to the custom servlet with an action parameter for the token. Call it 'jwt'.

4. Create a test page for the mashup. I created a small Spring Boot project for this.

4. Create the AuthService in the Gateway ruleset. You cannot do this in an application layer higher up. I've been through this when I got an LDAP authentication service working.

5. The first thing you need to do in the AuthService is verify the token. I started by copying the Obj-Open step in pxProcessJWT in order to open the token profile. This is where I get the authorisation issue when I test my mashup. I cannot call the pxProcessJWT activity from here because Pega cannot "see" it. I also cannot save-as it into a different ruleset because it is "final".

Next steps will be to get the claims from the token and use those to create an operator based on a model operator with the correct access group. If this is the first time the user gets here, otherwise use the operator that is already there.

April 16, 2019 - 4:39am

I resolved this by creating a new Access Role authorized to open instance DATA-ADMIN-SECURITY-TOKEN and adding it to the Gateway:Unauthenticated access group.

April 17, 2019 - 11:38pm

I was wary of this solution but I've run it by a SME and they have no problem with this. Especially seeing you've isolated this down to your own AG.