Question

OAuth2 OpenID Connect

We are trying to implement an OAuth2 OpenID Connect based user authentication. The idea is to redirect to the OAuth2 Identity Provider for login which then redirects to Pega with an authorization code which Pega would use to retrieve a token from the Identity Provider that contains the user identity and other information (Authorization Code Grant Flow).

I can create an OAuth 2.0 Provider and an Authentication Profile that leverages it, but I am not sure how to use it for user authentication. The information I found here is that OOTB it does not seem to be available. I am OK with creating a Custom authentication activity, I just wonder if somebody already did that and could provide some guidance.

**Moderation Team has archived post**

This post has been archived for educational purposes. Contents and links will no longer be updated. If you have the same/similar question, please write a new post.

Correct Answer
January 9, 2018 - 3:29pm

We ended up writing a Connect-REST rule to retrieve the token from the OAuth Provider based on the authorization code received.

It would be good to add this to OOTB features instead of having to write our own rules.

Comments

Keep up to date on this post and subscribe to comments

December 27, 2017 - 4:52am

Hi,

Can you please share your authentication service screenshot, based on the ID you can hit the url. 

If Authentication Service ID is WebLDAP1, you can use the below link to achieve this.

http://localhost:8719/prweb/PRWebLDAP1

January 3, 2018 - 8:11am
Response to SudhakarReddy

Here is what I am trying to do.

I am using the PRServletCustom servlet (OOTB mapped to CustomSample Authentication Service). My Authentication Service is then using a custom activity to do the following:

  1. Check if there is an authorization code being sent.
    1. If no = redirect to OAuth ID Provider for user authentication.
    2. If yes = use the Authorization Code to retrieve a JWT from the OAuth ID Provider.
  2. Perform operator creation/update based on LDAP information.

It's with step #1.b that I am not sure how to do it without having to manually call the REST service.

January 3, 2018 - 1:46pm

As per below article Pega doesn’t support OpenID Connect .

https://pdn.pega.com/community/product-support/question/oauth2-openid-connect-token-support 

Thanks,

Arun

January 3, 2018 - 3:33pm
Response to Arun_Mahanty

Based on this article (which I had read before) it says that it supports the authorization code grant type. This grant type is supposed to be used to retrieve a token based on an authorization code.

I tried to replicate what is currently done in pxIsAccessTokenPresent , but it does not seem to work. It uses an "operatorID" parameter, which I don't have at that point: svcUtilPriv.getOAuth2Client(tools, authProfilePage, operatorId).getAccessToken();

It does not seem to retrieve the token.

Do I need to manually do the token retrieval based on the authorization code I receive?

January 9, 2018 - 3:29pm

We ended up writing a Connect-REST rule to retrieve the token from the OAuth Provider based on the authorization code received.

It would be good to add this to OOTB features instead of having to write our own rules.

Pega
December 24, 2018 - 3:15am
Response to PatrickC8660

As of Pega Platform 8.1 this feature is available OOTB for browser and mobile apps. There are community articles describing how this feature can be used with different Idenity Providers, such as OktaAuth0 or miniOrange.