Issue

After updating the platform versions specified, REST integrations using OAuth 2.0 authentication fail with HTTP 401 (Unauthorized) errors. This issue occurs despite the authorization token appearing valid.

Steps to reproduce

1. Configure a REST connector using an OAuth 2.0 Authentication Profile (fFor example, Password Credentials grant type).
2. Execute the connector with a fresh access token.
3. Execute the connector again after the token expires.The connector fails with HTTP 401 and does not automatically refresh the token.

Root Cause

Third Party non Compliance to RFC 6750

This reported behavior occurs because the platform now enforces stricter compliance with the OAuth 2.0 Bearer Token specification (RFC 6750).

Starting with Pega 23.1.5, Pega strictly adheres to RFC 6750 Section 3. Under this standard:

• When an API request receives a 401 response, refresh the token if the response includes a WWW-Authenticate header containing the error code, invalid_token (case-sensitive).
• Pega checks for this header and error code before attempting a token refresh.
• If the header is missing or the error code differs, Pega does not retry the token acquisition.

Some Identity Providers (IDPs) do not comply with RFC 6750. They either omit the WWW-Authenticate header or return custom error codes (for example, Session_Invalid, Invalid_Auth_Header). As a result, Pega cannot refresh tokens automatically, causing Integration failures.

Solution

Update the IDP implementation to fully comply with RFC 6750.

Implement the following changes:

1. Include the WWW-Authenticate header in all HTTP 401 responses.
2. Use the case-sensitive error code, invalid_token.