REST connector with OAuth 2.0 and JWT Authentication fails

Question

Falko

Member since 2017

2 posts

PEGA

Posted: Sep 19, 2018

Last activity: Sep 20, 2018

Posted: 19 Sep 2018 4:02 EDT
Last activity: 20 Sep 2018 7:46 EDT

Closed

REST connector with OAuth 2.0 and JWT Authentication fails

Report

Currently I'm developing a new REST connector. For this I have to define a new Authentication and create a new OAuth provider using the REST integration wizard in developer studio (Pega 8).

The API I have to access utilizes a JWT (JSON web token) based authentication. So every API request must include a JWT inside a request header. This happens in conjuction with an implementation of OAuth2 using a HMAC-SHA256 algorithm.

The Authentication and request process I have to follow is like:

Currently I'm developing a new REST connector. For this I have to define a new Authentication and create a new OAuth provider using the REST integration wizard in developer studio (Pega 8).

The Authentication and request process I have to follow is like:

Construct a JWT using several (custom) fields, including OAuth fields.
Call a authorize URI with the JWT.
Request will be redirected to Pega redirect_uri with parameter 'code' in the query string.
This code has to be used to construct another JWT (with the 'code' and 'grant_type="authorization_code"' fields)
POST to access token URI with the JWT.
The response will contain an access_token.
This token has to be used to construct another JWT (with the 'authorization' field)
Finally the Web API can be called with the JWT.

I'm not sure if this whole process and all the requirements can be covered by Pega 8 (Infinity) OOTB.

Currently I'm facing several problems. After configuring the connector and the OAuth provider (see parameters below) and trying to connect I get back an error message from the API like this:

https://api.XXXX.com/YYYYY/ZZZZZ/authorize?redirect_uri=http%3A%2F%2F Proprietary information hidden%3A9080%2Fprweb%2FPRRestService%2Foauth2%2Fv1%2Fredirect&client_id=111222333444XXXXYYY&scope=scope&state=xxxxxxxxxx&response_type=code

{
  "errors": [
    {
      "title": "unauthorized_client",
      "id": "XXX",
      "meta": {
        "server-time": 123
      },
      "errorCode": "unauthorized-client",
      "status": 401,
      "detail": "No definition of jwt found in header or query string."
    }
  ],
  "error_description": "No definition of jwt found in header or query string.",
  "error": "unauthorized_client"
}

I'm pretty sure that the credentials I've entered (client ID and secret key) are correct. So I can see possible reasons for this error here:

The encryption does not use the HMAC-SHA256 algorithm. Unfortunately I can't see where I could change this in the setup.
There will be not JWT (token) generated in the header of the request (should be done automatically I think).
Pega 8 does not support the process flow mentioned above.

Here are some more details regarding the (most important) parameters I've entered so far:

No special definition of a header (assuming that this will be generated automatically by Pega)
Authentiction scheme: OAuth 2.0
OAuth provider details:
- Grant types: Client credentials AND Authorization code
- All three code and token endpoints (URI's)
- Send credentials as: POST
- Send access token as: Authorization header
Grant type: Authorization code
All four client information fields
Additional endpoint parameter: response_type = code

What I also tried is to change the Grant type to "Client credentials". In this case I can see the following error message (even when manually re-entering the redirect-URI):

Caught Exception while creating OAuth2 client

Unable to obtain access token for client details in authentication profile configured for connector. Please check the logs for more details.

Access token endpoint invocation failed : {ErrorMessage=Response status : 307 Moved Temporarily, statuscode=307}

I checked the according endpoints but they all seem to be available but this is currently under clarification.

So it would be great if anybody with some REST, OAuth2 and JWT experience could comment on this or share some ideas.

Show Less

To see attachments, please log in.

Low-Code App Development

Dev/Designer Studio

Data Integration

Security

Like (0)
Share this page Facebook Twitter LinkedIn Email Copying... Copied!

Posted: 6 years ago

Posted: 19 Sep 2018 7:31 EDT

Falko

PEGA

replied to Falko

Report

UPDATE: when changing the "Access token endpoint URI" from the configuration mentioned at the end of my question from HTTP://xxx to HTTPS://xxx I do not get an 307 error anymore but a 401 (unauthorized request) error.

To see attachments, please log in.

Like (0)

Posted: 6 years ago

Updated: 6 years ago

Posted: 19 Sep 2018 14:38 EDT
Updated: 20 Sep 2018 7:46 EDT

desad1

PEGA

replied to Falko

Report

Pega does not support sending JWT as a header in authorize URL as well as for access token end point.

For next usecase

OAuth provider details:
- Grant types: Client credentials AND Authorization code
- All three code and token endpoints (URI's)
- Send credentials as: POST
- Send access token as: Authorization header
Grant type: Authorization code
For authorize code grant type you need to hit authorize url first with required parameters(client_id,grant_type,state,response_type,redirect_uri)to fetch the code and hit the access token end point with these parameters(client_id,client_secret,redirect_uri,code,grant_type)
For client credentials grant type you need to hit only access token end point with parameters(client_id,client_secret,grant_type)

To see attachments, please log in.

Likes (1)

Bopaki Tebalo

Question

REST connector with OAuth 2.0 and JWT Authentication fails

Need help or want to help others?

Experience the benefits of Support Center when you log in.

Question

REST connector with OAuth 2.0 and JWT Authentication fails

Related content:

Need help or want to help others?

Experience the benefits of Support Center when you log in.

We'd prefer it if you saw us at our best.