Question
Murex
LB
Last activity: 8 Oct 2024 8:06 EDT
How to get the Access Token of the user in OIDC SSO - Decrypt Pega Open ID Connect Encrypted Access Token
Hello,
For context, in one of our projects we are implementing SAML SSO for user authentication and then we read the user security groups from Azure and we map them into Pega's work group. We want to switch to OpenID Connect as we have alot of integrations with other applications and would like to use the user JWT tokens to authenticate these calls.
I created the OpenID Connect Authentication service and its connected to our application in Microsoft Azure.
The user is authenticated property and I was able to map the claims and read the security groups through the ID Token.
Once the user is logged in I was able to get the ID token from the datapage D_pyOIDCLoginInfo
But what I need is the access token. I did some research and most of the answers revolved around:
ClipboardPage mAuthServicePage = tools.findPage("AuthService");
com.pega.pegarules.priv.util.ServiceUtilsPriv svcUtilPriv = ((PegaAPI)tools).getServiceUtilsPriv();
String token = svcUtilPriv.getOAuth2Client(tools, mAuthServicePage, "UserIDExampleOfUserX").getAccessToken();
This did not work and it threw a null pointer exception, and some other pega errors.
Pega stores the access token records in Data-Admin-Security-OAuth2-AccessToken
Hello,
For context, in one of our projects we are implementing SAML SSO for user authentication and then we read the user security groups from Azure and we map them into Pega's work group. We want to switch to OpenID Connect as we have alot of integrations with other applications and would like to use the user JWT tokens to authenticate these calls.
I created the OpenID Connect Authentication service and its connected to our application in Microsoft Azure.
The user is authenticated property and I was able to map the claims and read the security groups through the ID Token.
Once the user is logged in I was able to get the ID token from the datapage D_pyOIDCLoginInfo
But what I need is the access token. I did some research and most of the answers revolved around:
ClipboardPage mAuthServicePage = tools.findPage("AuthService");
com.pega.pegarules.priv.util.ServiceUtilsPriv svcUtilPriv = ((PegaAPI)tools).getServiceUtilsPriv();
String token = svcUtilPriv.getOAuth2Client(tools, mAuthServicePage, "UserIDExampleOfUserX").getAccessToken();
This did not work and it threw a null pointer exception, and some other pega errors.
Pega stores the access token records in Data-Admin-Security-OAuth2-AccessToken
The only way I was able to retrieve the access token of the user is by using Obj-Browse on Data-Admin-Security-OAuth2-AccessToken reading pyAccessToken and filtering on pyUserIdentifier and getting the latest added token for this user.
Now the problem is that this token is encrypted and when attempting to decrypt it, it doesn't work.
An example of the token is :
"\t"{in}bqYTnuldsS1ZpnrLMVFZJEMh0LKJgI8/SAVPMXsdemLPPYXuweLwuWeLTcl+0POIJZjmgEZ
I tried using:
accessToken = tools.getPRCrypto().decrypt(encryptedToken);
it didn't work, and the access token remains as it is. Turned out that the getPRCrypto only decrypts values that contains {pr} in the beggining so for example the encrypted text needs to be something like:
"\t"{pr}bqYTnuldsS1ZpnrLMVFZJEMh0LKJgI8/SAVPMXsdemLPPYXuweLwuWeLTcl+0POIJZjmgEZ
instead of
"\t"{in}bqYTnuldsS1ZpnrLMVFZJEMh0LKJgI8/SAVPMXsdemLPPYXuweLwuWeLTcl+0POIJZjmgEZ
I tried to replace {in} with {pr} using str.Replace() just to see how pega behaves and now tracer throws an error com.pega.pegarules.pub.context.CryptographicException: Problem decrypting data which means that pega only attempts to do the decryption if the ecrypted string.
Does Pega even support decrypting the access token?
Does Pega allows retrieving the access token using some ootb api?
Why doesn't Pega simply store the access token in the clipboard like they store the ID token?
Also I couldn't find the refresh token anywhere. This is basic oauth 2.0 its crazy that Pega doesn't support that.
If the access token cannot be retrieved then the entire OpenID Connect Authentication service in Pega is useless
Can anyone assist on this?
Thanks,
Shokor
Keywords : OIDC - OpenID Connect - Decrypt Access Token - Authentication Services - SSO - Refesh Token
Pegasystems Inc.
GB
@Mohamad Shokor To retrieve and decrypt the access token in an OpenID Connect SSO setup in Pega, you can use the following approach: 1. Perform an Obj-Browse on the Data-Admin-Security-OAuth2-AccessToken class, filtering on pyUserIdentifier to get the latest access token for the user. 2. The access token is encrypted with a prefix {in}. Pega's tools.getPRCrypto().decrypt() method only works with tokens prefixed with {pr}. 3. Pega does not provide an OOTB API to directly retrieve and decrypt the access token. You may need to implement a custom decryption mechanism if required. Unfortunately, Pega does not store the access token on the clipboard like the ID token, and there is no direct OOTB support for decrypting the access token.
⚠ This is a GenAI-powered tool. All generated answers require validation against the provided references.
🌕 Retrieve id token and access token from Open ID authentication 🌕 Troubleshooting OpenID Connect (OIDC) integrations
Murex
LB
@MarijeSchillern just a reply for the sake of replying. Your reply did not add anything to what I mentioned above.
Does pega allow the decryption of {in} prefix encrpted tokens?
Updated: 9 Sep 2024 12:40 EDT
Pegasystems Inc.
GB
@jastg @sasuk @szadp @KenshoTsuchihashi can one of you answer?
Murex
LB
Update to keep this post open
Murex
LB
Another update to keep this post open