Question
SOFTTECH A.Ş.
TR
Last activity: 11 Mar 2024 5:38 EDT
JWT Creation and its usage for Connect-Rest rule
Hi,
We are trying to integrate to a rest web service which we have to make our request in Jwt format. Thus, we have a connect-rest rule and i have created a Token Profile rule.
I am calling pxGenerateJWT activity to generate jwt token,inside the activity containing connect-rest method ; and on the output page i get pyJWT property containing jwt and setting this pyJWT property to a custom Property. When i decode pyJWT property's value containing jwt by using https://jwt.io/ web page, i see that some pega's oob properties (pxObjClass etc.) are added inside request fields in the payload. Because of these extra fields, our requests are failing with validation errors on service side.
So how can we avoid these oob pega properties to be added into the reuqest? Meanwhile I attached screenshots of how i set token profile, connect-rest rule and activity calling it as well. I wonder if i am setting Message data on Connect-Rest rule correctly or should i make a change on Token Profile?
Any help is appreciated.
Thank you.
Accepted Solution
Updated: 29 Feb 2024 8:09 EST
Pegasystems Inc.
GB
SOFTTECH A.Ş.
TR
Hi,
I have included pyData root element into the excludedPropertiesJWTList parameter, but does not work. Pega still creates jwt with pyData included, i see this when i decode jwt on jwt.io web page. Instead, on the activity where i make connect-rest call, i have decoded jwt with Base64Decode function and got plain text request string. And i extract the portion which includes pyData content from the string, and then i encode this extracted string by using pxBase64Encode function. When i decode this encoded string without pyData content on jwt.io again, i see what i want, pyData portion is gone from the request, that is okay now.
But when i send this encoded request to the service, this time i have invalid signature issues, because it is said by the service team that pega must only sign payload, not header. So is it possible on Pega to sign one portion of request, like payload only?
Thanks.
@AHMETBURAKS I can see that INC-B6351 was resolved with the following solution
Issue primary reason description:
remove pxObjClass and pxObjClass fields from request by setting excludedPropertiesJWTList parameter on pxGenerateJWT
https://docs-previous.pega.com/sites/default/files/help_v73/data-/data-admin-/data-admin-security-/data-admin-security-token/sec-config-activity-gen&proc-JWT-tsk.htm
Answer:
1. @TANDP @nvkap perhaps you can clarify this point as GCS cannot help with design questions.
2. Check documentation for that configuration as using JWT for Connect-REST rules in Pega required writing some custom Java code for Connect-REST using the activity pyInvokeRestConnector.
Pega should support sending a JSON Web Token for authentication via the header of a connect REST. However, refreshing the JWT after the user is already inside of Pega might require additional custom solutions. Which is our of scope GCS support.
Please check documentation below which can help:
@AHMETBURAKS I can see that INC-B6351 was resolved with the following solution
Issue primary reason description:
remove pxObjClass and pxObjClass fields from request by setting excludedPropertiesJWTList parameter on pxGenerateJWT
https://docs-previous.pega.com/sites/default/files/help_v73/data-/data-admin-/data-admin-security-/data-admin-security-token/sec-config-activity-gen&proc-JWT-tsk.htm
Answer:
1. @TANDP @nvkap perhaps you can clarify this point as GCS cannot help with design questions.
2. Check documentation for that configuration as using JWT for Connect-REST rules in Pega required writing some custom Java code for Connect-REST using the activity pyInvokeRestConnector.
Pega should support sending a JSON Web Token for authentication via the header of a connect REST. However, refreshing the JWT after the user is already inside of Pega might require additional custom solutions. Which is our of scope GCS support.
Please check documentation below which can help:
https://support.pega.com/question/jwt-json-web-tokens
https://docs.pega.com/bundle/customer-service/page/customer-service/constellation-implementation/chat-messaging/client-channel-api-payload-requirements-c11n.html
https://support.pega.com/question/jwt-bearer-authentication-rest-connector
Alternatively, if you would rather have direct consulting assistance from Pega Consulting on your question, please reach out to your Account Executive. Please let us know if you have any questions about this information or if you would prefer to connect with your Account Executive.
Your question, how to exclude pyData fom payload.:
Can you use the same settings excludedPropertiesJWTList and include pxObjClass and pyData.
https://docs-previous.pega.com/sites/default/files/help_v73/data-/data-admin-/data-admin-security-/data-admin-security-token/sec-config-activity-gen&proc-JWT-tsk.htm
"excludedPropertiesJWTList - Optional: Enter a comma-separated list of properties to exclude from the node."
For more questions You can also use already created topic on Pega community:
https://support.pega.com/question/jwt-creation-and-its-usage-connect-rest-rule
You are using old Pega 8.4.3 and we strongly recommend using new Pega 8.8.x or Pega infinity 23.x
Explanation description:
Client can get jwt by REST request on our Pega application at the moment and can decode it on https://jwt.io web page. But we can see some pega's OOB properties (pxObjClass, pyData) are added inside request fields in the poad and this causes our requests to fail.