Securing Cosmos React-UI applications
If your application uses a Cosmos React-UI, then it authenticates operators using one
of the newer (PRAuth) types of Pega Platform Authentication schemes. Requests are typically
submitted using a URL that includes an application alias, for example:
https://<host>:<port>/prweb/app/Alias.
For an unauthenticated user, this type of request presents a page showing a list of
authentication services available for login to the application. If the user chooses
Basic authentication, then the password, lockout, and CAPTCHA
policies are applied by default.
Cosmos React-UI security
When using Cosmos React-UI, use the following conventions, or you will encounter errors and issues with authentication:
HTTPSis required if the application is marked to use Cosmos React-UI.- Authorized access tokens (AAT) should be marked as HttpOnly and secured using a dynamic system setting. For more information, see Creating a dynamic system setting.
- You can customize token lifetime configurations on the OAuth 2.0 Client
Registration rule form.
- The auto-generated OAuth 2.0 client for an application is identified
with the name
PegaAPP_<ApplicationName>. Where <ApplicationName> is the name that is used to automatically generate OAuth 2.0 Client Instance when an application is saved. - The default expiry time is 15 minutes for access token and 24 hours for refresh token.
- For more information, see:
- The auto-generated OAuth 2.0 client for an application is identified
with the name
- URL patterns & authentication
- Cosmos React-UI supports only app-specific URLs and
PRAuth-based authentication-schemes. For
example,
https://<host>:<port>/prweb/app/Aliasis valid. - Cosmos React-UI does not support non app-specific URLs and for
custom authentication and any authentication-schemes other than
PRAuth. For example, URLs such as the
following will cause an error:
https://hostname:port/prweb/PRWebLDAP1/app/Alias. - If a Cosmos React-UI application is exported to higher environments, instances of OAuth 2.0 clients that are specific to the application must be included in the package.
- Cosmos React-UI supports only app-specific URLs and
PRAuth-based authentication-schemes. For
example,
- API Security
- All Cosmos React-UI service-packages must be configured to use OAuth 2.0 authentication. For more information, see OAuth 2.0 client registrations.
- Authorization
- An operator must have PegaRULES:PegaAPI role to perform Digital Experience (DX) and data API calls.
- If the application uses DX API, an OAuth 2.0 Client is generated automatically when the application is saved.
- Session management
- It is a leading practice to set the Access group timeout as a longer time period than the Refresh token timeout. For example, the Refresh token timeout is set to 15 minutes and the Access group timeout is set to 1 hour.
- Even if the Access group timeout is configured to be less than access token expiry, then re-authentication is required if the access token expires.
Previous topic Securing your application for mashup communication Next topic Verify requests at the application layer