Greetings. We have a requirement to secure REST API using token generated by Azure AD. Pega is registered as a native app in Azure AD and grant type is password. We were provided with Client id, username, password, resource, scope and client secret but if i send client_secret as one of the parameters, i get an error as below
"error_description": "AADSTS50158: External security challenge not satisfied. User will be redirected to another page or authentication provider to satisfy additional authentication challenges.\r\nTrace ID: 31a8d86b-8d15-4a60-ad5a-aca50e0b0300\r\nCorrelation ID: f3f2e54b-ddec-43f4-92d8-4c0fc3c41b4e\r\nTimestamp: 2020-06-05 20:43:40Z",
From Pega client_secret is not optional, but from postman if i ignore the client_secret but pass in remaining keys, i get a proper access_token and refresh_token back.
Can anyone provide me if there is a way to make client_secret optional from Pega?