Skip to main content


         This documentation site is for previous versions. Visit our new documentation site for current releases.      
 

Securing Cosmos React-UI applications

Updated on July 1, 2021

If your application uses a Cosmos React-UI, then it authenticates operators using one of the newer (PRAuth) types of Pega Platform Authentication schemes. Requests are typically submitted using a URL that includes an application alias, for example: https://<host>:<port>/prweb/app/Alias. For an unauthenticated user, this type of request presents a page showing a list of authentication services available for login to the application. If the user chooses Basic authentication, then the password, lockout, and CAPTCHA policies are applied by default.

Cosmos React-UI security

When using Cosmos React-UI, use the following conventions, or you will encounter errors and issues with authentication:

  • HTTPS is required if the application is marked to use Cosmos React-UI.
  • Authorized access tokens (AAT) should be marked as HttpOnly and secured using a dynamic system setting. For more information, see Creating a dynamic system setting.
  • You can customize token lifetime configurations on the OAuth 2.0 Client Registration rule form.
  • URL patterns & authentication
    • Cosmos React-UI supports only app-specific URLs and PRAuth-based authentication-schemes. For example, https://<host>:<port>/prweb/app/Alias is valid.
    • Cosmos React-UI does not support non app-specific URLs and for custom authentication and any authentication-schemes other than PRAuth. For example, URLs such as the following will cause an error: https://hostname:port/prweb/PRWebLDAP1/app/Alias.
    • If a Cosmos React-UI application is exported to higher environments, instances of OAuth 2.0 clients that are specific to the application must be included in the package.
  • API Security
    • All Cosmos React-UI service-packages must be configured to use OAuth 2.0 authentication. For more information, see OAuth 2.0 client registrations.
  • Authorization
    • An operator must have PegaRULES:PegaAPI role to perform Digital Experience (DX) and data API calls.
    • If the application uses DX API, an OAuth 2.0 Client is generated automatically when the application is saved.
  • Session management
    • It is a leading practice to set the Access group timeout as a longer time period than the Refresh token timeout. For example, the Refresh token timeout is set to 15 minutes and the Access group timeout is set to 1 hour.
    • Even if the Access group timeout is configured to be less than access token expiry, then re-authentication is required if the access token expires.

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best.

Pega.com is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us