OIDC Access Token expiration problem
Hi Everyone,
I have OpenID connect authentication in my application (usingn pega 8.5.5) and it is working fine, until i found accesstoken expiration problem.
After an authentication succeed, The Access Token received from the external system has expiration time. Each time we refresh the User Token, we have to retrieve and pass the AccessToken to get the userinfo.
If the AccessToken is expired, we have to refresh the AccessToken and pass the latest AccessToken. How do we refresh the AccessToken ?. Is there any API available to refresh the AccessToken. I am looking at making a Connect-REST call to Token API to retrieve the AccessToken. To do this i need to retrieve the RefreshToken sent from IDP. But I am not seeing any Pega API to retrieve the RefreshToken for the current user. I looked at the AccessToken Blob in DB, RefreshToken is encrypted. Unable to retrieve the decrypted value of RefreshToken.
i alsotrying to call com.pega.pegarules.pub.connect.oauth2.OAuth2Client.RevokeToken(), this function delete the Data-Admin-Security-OAuth2-AccessToken, but now i am stuck how to register new Data-Admin-Security-OAuth2-AccessToken with the new access token.
is there another way to achieve how to refresh or get new access token to Data-Admin-Security-OAuth2-AccessToken?.
Any help or comment would be appreciated.
Thank you,
Musa
Accepted Solution
Updated: 15 May 2024 9:12 EDT
Pegasystems Inc.
GB
In Pega Platform, when an OAuth 2.0 client application requests a new access token using the refresh token grant type, the response includes the new access token as well as the refresh token. You can choose the refresh token issuance mechanism and the expiration of various tokens issued by Pega Platform in the Token Management section. However, retrieving the Refresh Token directly from the IDP or decrypting the Refresh Token from the AccessToken Blob in DB is not supported out of the box. You might need to customize your application to handle these scenarios. Please note that any customization should comply with the security standards and guidelines of your organization.
⚠ This is a GenAI-powered tool. All generated answers require validation against the provided references.
Troubleshooting OpenID Connect (OIDC) integrations
Reuse Authentication service token for REST connector
Enhanced refresh token strategy
You might be able to contact your Pega AE and mention the following enhancement request to see if it matches your requirement:
penID Connect post authentication Activity context (FDBK-60614)
In Pega Platform, when an OAuth 2.0 client application requests a new access token using the refresh token grant type, the response includes the new access token as well as the refresh token. You can choose the refresh token issuance mechanism and the expiration of various tokens issued by Pega Platform in the Token Management section. However, retrieving the Refresh Token directly from the IDP or decrypting the Refresh Token from the AccessToken Blob in DB is not supported out of the box. You might need to customize your application to handle these scenarios. Please note that any customization should comply with the security standards and guidelines of your organization.
⚠ This is a GenAI-powered tool. All generated answers require validation against the provided references.
Troubleshooting OpenID Connect (OIDC) integrations
Reuse Authentication service token for REST connector
Enhanced refresh token strategy
You might be able to contact your Pega AE and mention the following enhancement request to see if it matches your requirement:
penID Connect post authentication Activity context (FDBK-60614)
I am unable to find any support ticket from you. Did your organization ever log this?
Accepted Solution
Updated: 15 May 2024 9:12 EDT
Pegasystems Inc.
GB
In Pega Platform, when an OAuth 2.0 client application requests a new access token using the refresh token grant type, the response includes the new access token as well as the refresh token. You can choose the refresh token issuance mechanism and the expiration of various tokens issued by Pega Platform in the Token Management section. However, retrieving the Refresh Token directly from the IDP or decrypting the Refresh Token from the AccessToken Blob in DB is not supported out of the box. You might need to customize your application to handle these scenarios. Please note that any customization should comply with the security standards and guidelines of your organization.
⚠ This is a GenAI-powered tool. All generated answers require validation against the provided references.
Troubleshooting OpenID Connect (OIDC) integrations
Reuse Authentication service token for REST connector
Enhanced refresh token strategy
You might be able to contact your Pega AE and mention the following enhancement request to see if it matches your requirement:
penID Connect post authentication Activity context (FDBK-60614)
In Pega Platform, when an OAuth 2.0 client application requests a new access token using the refresh token grant type, the response includes the new access token as well as the refresh token. You can choose the refresh token issuance mechanism and the expiration of various tokens issued by Pega Platform in the Token Management section. However, retrieving the Refresh Token directly from the IDP or decrypting the Refresh Token from the AccessToken Blob in DB is not supported out of the box. You might need to customize your application to handle these scenarios. Please note that any customization should comply with the security standards and guidelines of your organization.
⚠ This is a GenAI-powered tool. All generated answers require validation against the provided references.
Troubleshooting OpenID Connect (OIDC) integrations
Reuse Authentication service token for REST connector
Enhanced refresh token strategy
You might be able to contact your Pega AE and mention the following enhancement request to see if it matches your requirement:
penID Connect post authentication Activity context (FDBK-60614)
I am unable to find any support ticket from you. Did your organization ever log this?