Question
Bank of Nova Scotia
CA
Last activity: 22 Apr 2021 18:20 EDT
Service REST OAuth2 - External OAuth2 Provider
We have a requirement to secure a Service REST by using OAuth2. Instead of using Pega as the OAuth2 provider, an external OAuth2 Provider is to be used. This external OAuth2 Provider is expected to provide a Bearer Token in the format of a signed JWT.
On the Service Package side, should the Authentication Type be:
- OAuth2.0 or
- Custom
It's my understanding that OAuth 2.0 is used when Pega is used as the OAuth2 Provider. Can it still be used when an external provider is used? If so, what needs to be set up?
Secondly, what the possible way so trace/troubleshoot OAuth2 for Service REST?
Accepted Solution
Updated: 22 Apr 2021 18:20 EDT
Pegasystems Inc.
ES
@TerenceY0215 you should use Custom authentication in your Service Package. So to configure OAuth2.0 authentication for your Service REST you need:
- A custom authentication service
- An activity that get the JWT token from HTTP header, and validate it against a Token Profile
- A token profile for processing purpose
- A keystore with the JWK used to validate the token signature
Please let me know if you need any additional clarifications.
Bank of Nova Scotia
CA
@DavidElvarthis is great. Thx a lot!!
Dion also updated a post related to the CLSA Security Excellence Webinar:
Bank of Nova Scotia
CA
David, one more question. I know I can use the Token Profile for processing purpose to map the claims in the body. What about pulling values from the header? E.g., "kid' is sent in the header of the JWT, and I would like to pull that out. Can this be accomplished with the Token Profile mapping?
Bank of Nova Scotia
CA
David, another question ...
While the Authentication activity is being executed, how can I identify the Service-REST rule being executed? I understand that I can get the Request Path Info from the Requestor and use that to match to a Service-REST. However, knowing exactly which Service-REST is being invoked will be great.
The reason I would like to know about the specific Service-REST being invoked is that there might be a number of Service-REST rules sharing the same Service Package. Each Service-REST (perhaps down to its method) might have its own scope/permission.
Thx
Terence
Pegasystems Inc.
ES
hi @TerenceY0215 !! sorry for the latency with my answers :)
about the first one, configure the Header as JSON field located on Advanced mapping section of your token profile. You shoud enter the clipboard property that the decoded header is assigned to. Then you could deserialize this string into a clipboard page usint a JSON data transform in order to get any info from JWT header, like kid.
about the second one, you should try to manage different service packages to associate your REST services, based on functionality, business domain, or wathever, and then execute all REST services for same service package under same authorization level. If this is not possible, and you need to manage different authorization leve for each request, another approach could be manage the authorization level based on a JWT claim gettinf from payload. If you have to peform your requirement as is, there is no way to get the Service-REST rule (at least i don't know). Anyway, you may be able to get request URL information by reading http headers in authentication activity.