Skip to main content

Question

 Jason Guo (JasonG17211207)
IP Australia

IP Australia
AU
JasonG17211207 Member since 2024 1 post
IP Australia
Posted: 3 weeks 5 days ago
Last activity: 1 week 5 days ago
Posted: 26 Feb 2025 19:20 EST
Last activity: 13 Mar 2025 5:51 EDT

Retrieve OAuth2Client id_token through OIDC workflow

 
try {
  String operator=tools.getParameterPage().getString("operator");
  com.pega.pegarules.pub.connect.oauth2.OAuth2Client oauth2Client = pega.getServiceUtilsPriv().getOAuth2Client(tools,myStepPage,operator);
  ClipboardPage accessToken = oauth2Client.retrieveAccessToken();
  strAccessToken = oauth2Client.getAccessToken();
  strPyExpiresAt = accessToken.getString("pyExpiresAt");
  label = myStepPage.getString("pyLabel");
}
catch(Exception exp)
{
    oLog.error("Token fetch failed :" + exp.getMessage());
}

We are trying to use the OAuthConnect to call the activity GetTokenFromOAuthProfile to retrieve an OAuth token that we can use to request a resource from another internal API. 

There was a related question asked 9 years ago on 7.2.1 OAuth2 OpenID Connect Token support | Support Center where the answer was that Pega 7 didn't support OIDC OTTB. 

Can someone please shed some light on the OAuth2Client class in 23 or 24 and let us know if there is a way to retrieve id_token in addition to the access_token?

We are able to see the id_token being part of the external auth (SSO) implementation for the users. However, in our use case, we need to make the id_token available to a Constellation custom UX component through the above mentioned activity (called by a data page).

Thank you in advance.

***Edited by Moderator Rupashree S. to add Capability tags***
***Edited by Moderator Marije to add Product Enhancement plans EPIC ***
To see attachments, please log in.
Pega Infinity
Security
Constellation
User Experience

  • Reply
  • Ajay C Rick Walton SOHAIL SHAIKH Viktoryia Misevich Lauren Neatherlin and 5 More
Posted: 1 week ago
Updated: 1 week ago
Posted: 12 Mar 2025 15:17 EDT
Updated: 13 Mar 2025 5:51 EDT
Marije Schillern (MarijeSchillern)
MOD
Senior Knowledge Management Specialist
Pegasystems Inc.
GB

@JasonG17211207 as you have not had any response, I will provide some input.  

NOTE: The below answer came from a GenAI tool.  It is imperative you check the References used to come with this answer.  It may not be Constellation-specific .

-----------------------------

Here are several approaches you might consider to access the id_token in your OIDC workflow.

Current OAuth2Client Capabilities

The OAuth2Client class in Pega primarily focuses on access_token handling, which is why you're seeing methods like retrieveAccessToken() and getAccessToken() in your code. Unlike these dedicated methods for access tokens, there doesn't appear to be a direct equivalent method like getIdToken() in the standard OAuth2Client class.

Show More

@JasonG17211207 as you have not had any response, I will provide some input.  

NOTE: The below answer came from a GenAI tool.  It is imperative you check the References used to come with this answer.  It may not be Constellation-specific .

-----------------------------

Here are several approaches you might consider to access the id_token in your OIDC workflow.

Current OAuth2Client Capabilities

The OAuth2Client class in Pega primarily focuses on access_token handling, which is why you're seeing methods like retrieveAccessToken() and getAccessToken() in your code. Unlike these dedicated methods for access tokens, there doesn't appear to be a direct equivalent method like getIdToken() in the standard OAuth2Client class.

Possible Approaches

  1. Examine the Raw OAuth Response Looking at the support forum thread you referenced from 7.2.1, one user mentioned they could see both tokens (access_token and id_token) when using Connect-HTTP to capture the raw OAuth response, but only the access_token was available when using the OAuth2Client methods. This suggests the full response including the id_token may be received but not exposed through the standard methods.
  2. Check Data-Admin-Security-AccessTokenKeys Based on information from Pega Support, you may want to examine instances of the Data-Admin-Security-AccessTokenKeys class, which might contain the full token information including the id_token.
  3. Enable Debug Logging for NimbusOIDCClientHandler If your OIDC Provider uses the NimbusOIDCClientHandler, you can enable debug logging on this component to view the complete token response, which should include the id_token. The debug logs would show the raw response containing both tokens before they're processed.
  4. Custom Java Step Since you already have a Java step in your redirect service, you might be able to extend it to capture the full OAuth response before it's processed by the OAuth2Client. This would be similar to the Connect-HTTP approach but integrated into your existing flow.
  5. Reflection or Internal APIs As a more advanced option, you might investigate whether the OAuth2Client object internally stores the id_token after parsing the response. It's possible that while there's no public method to access it, the information might be available within the object's state.

Implementation Suggestion

Based on your current code and the fact that you're trying to make the id_token available to a Constellation custom UX component, one pragmatic approach might be:

try {
  String operator = tools.getParameterPage().getString("operator");
  com.pega.pegarules.pub.connect.oauth2.OAuth2Client oauth2Client = pega.getServiceUtilsPriv().getOAuth2Client(tools,myStepPage,operator);
  
  // First get the standard access token as you're doing now
  ClipboardPage accessToken = oauth2Client.retrieveAccessToken();
  strAccessToken = oauth2Client.getAccessToken();
  
  // Then capture the raw response if available (implementation depends on how you're calling the OAuth endpoint)
  // This could be through a custom connect-HTTP call or by extending the OAuth2Client implementation
  
  // Store both tokens in your data page for the UX component
  myStepPage.putString("accessToken", strAccessToken);
  myStepPage.putString("idToken", idTokenFromRawResponse); // You'd need to implement this part
}
catch(Exception exp) {
  oLog.error("Token fetch failed :" + exp.getMessage());
}

OIDC Evolution in Pega

It's worth noting that the original question from 9 years ago indicated Pega 7 didn't provide built-in support for OpenID Connect at that time. While Pega has evolved significantly since then and now includes more robust OIDC support, the specific capability to directly access the id_token through the OAuth2Client class might still not be fully exposed in the public API.

 

References:

-----------------------------

There is an open Enhancement Request. 

Feel free to quote this to your Account Executive if you need to discuss this in more detail.

  • EPIC-98008 (Token exchange flow support)
  • EPIC-91524 (Support for OIDC federation in Pega Infinity)

 

@Jarek as you wrote this discussion, do you have any contribution to this post?

@gundd1 @SumanKumar @jastg  can you provide some input to this question?

Show Less
To see attachments, please log in.

Related content:

Question

Okta and OpenID - Response Type as id_token instead of Code

Question

How to invoke OAuth POST /token endpoint when OAuth 2.0 Client Registration grant type is SAML Bearer

Question

How to Retrieve ID Token in Pega OIDC Authentication Service ?

Question

How to refresh idtoken (Auth0 using OIDC)

Question Solved

Pega / Google Oauth 2.0

Question

Client Registry and Auth Profile for Oauth2.0

Discussion

OAuth2 Client registration is not found for C11N Application

Discussion

List View: Enabling Personalization

Question

Instruction text in HTML rule did not have localized text generated with GenAI in Localization landing page from App studio

Question Solved

Getting null while calling PCore PConnect API DataTypeUtils.getSavableDataPage(className); desipte having valid class name and default data source for Data type

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice