Question
Murex
LB
Last activity: 23 Sep 2024 7:38 EDT
How to get the Access Token of the user in OIDC SSO - Decrypt Pega Open ID Connect Encrypted Access Token
Hello,
For context, in one of our projects we are implementing SAML SSO for user authentication and then we read the user security groups from Azure and we map them into Pega's work group. We want to switch to OpenID Connect as we have alot of integrations with other applications and would like to use the user JWT tokens to authenticate these calls.
I created the OpenID Connect Authentication service and its connected to our application in Microsoft Azure.
The user is authenticated property and I was able to map the claims and read the security groups through the ID Token.
Once the user is logged in I was able to get the ID token from the datapage D_pyOIDCLoginInfo
But what I need is the access token. I did some research and most of the answers revolved around:
ClipboardPage mAuthServicePage = tools.findPage("AuthService");
com.pega.pegarules.priv.util.ServiceUtilsPriv svcUtilPriv = ((PegaAPI)tools).getServiceUtilsPriv();
String token = svcUtilPriv.getOAuth2Client(tools, mAuthServicePage, "UserIDExampleOfUserX").getAccessToken();
This did not work and it threw a null pointer exception, and some other pega errors.
Pega stores the access token records in Data-Admin-Security-OAuth2-AccessToken
Hello,
For context, in one of our projects we are implementing SAML SSO for user authentication and then we read the user security groups from Azure and we map them into Pega's work group. We want to switch to OpenID Connect as we have alot of integrations with other applications and would like to use the user JWT tokens to authenticate these calls.
I created the OpenID Connect Authentication service and its connected to our application in Microsoft Azure.
The user is authenticated property and I was able to map the claims and read the security groups through the ID Token.
Once the user is logged in I was able to get the ID token from the datapage D_pyOIDCLoginInfo
But what I need is the access token. I did some research and most of the answers revolved around:
ClipboardPage mAuthServicePage = tools.findPage("AuthService");
com.pega.pegarules.priv.util.ServiceUtilsPriv svcUtilPriv = ((PegaAPI)tools).getServiceUtilsPriv();
String token = svcUtilPriv.getOAuth2Client(tools, mAuthServicePage, "UserIDExampleOfUserX").getAccessToken();
This did not work and it threw a null pointer exception, and some other pega errors.
Pega stores the access token records in Data-Admin-Security-OAuth2-AccessToken
The only way I was able to retrieve the access token of the user is by using Obj-Browse on Data-Admin-Security-OAuth2-AccessToken reading pyAccessToken and filtering on pyUserIdentifier and getting the latest added token for this user.
Now the problem is that this token is encrypted and when attempting to decrypt it, it doesn't work.
An example of the token is :
"\t"{in}bqYTnuldsS1ZpnrLMVFZJEMh0LKJgI8/SAVPMXsdemLPPYXuweLwuWeLTcl+0POIJZjmgEZ
I tried using:
accessToken = tools.getPRCrypto().decrypt(encryptedToken);
it didn't work, and the access token remains as it is. Turned out that the getPRCrypto only decrypts values that contains {pr} in the beggining so for example the encrypted text needs to be something like:
"\t"{pr}bqYTnuldsS1ZpnrLMVFZJEMh0LKJgI8/SAVPMXsdemLPPYXuweLwuWeLTcl+0POIJZjmgEZ
instead of
"\t"{in}bqYTnuldsS1ZpnrLMVFZJEMh0LKJgI8/SAVPMXsdemLPPYXuweLwuWeLTcl+0POIJZjmgEZ
I tried to replace {in} with {pr} using str.Replace() just to see how pega behaves and now tracer throws an error com.pega.pegarules.pub.context.CryptographicException: Problem decrypting data which means that pega only attempts to do the decryption if the ecrypted string.
Does Pega even support decrypting the access token?
Does Pega allows retrieving the access token using some ootb api?
Why doesn't Pega simply store the access token in the clipboard like they store the ID token?
Also I couldn't find the refresh token anywhere. This is basic oauth 2.0 its crazy that Pega doesn't support that.
If the access token cannot be retrieved then the entire OpenID Connect Authentication service in Pega is useless
Can anyone assist on this?
Thanks,
Shokor
Keywords : OIDC - OpenID Connect - Decrypt Access Token - Authentication Services - SSO - Refesh Token