Skip to main content


         This documentation site is for previous versions. Visit our new documentation site for current releases.      
 

Creating and configuring an OAuth 2.0 client registration

Updated on March 15, 2022

Create an OAuth 2.0 client registration to allow an external application or mobile native application to securely access Pega Platform REST services over HTTPS.

  1. In the Dev Studio header, click Create SecurityOAuth 2.0 Client Registration.
  2. Enter a short description and client name for your OAuth 2.0 client registration. Begin the name with a letter and use only alphanumeric characters.
  3. Click Create and open.
  4. In the Client Credentials section, select the Type of client:
    • Confidential – Select this client type for applications that can securely authenticate with the Pega Platform authorization module and keep their client secret safe.
    • Public – Select this client type for applications that cannot use client secrets, such as applications running in a browser or on a mobile device.
    Result: The system populates the Client Information tab with the following information, depending on the selected type of client:
    • Client ID – The unique ID that the system assigns to the client.
    • Client secret (Confidential only) – The password that the system assigns to the client in order to authenticate with the Pega Platform authorization module.
    • Authorization endpoint – The endpoint when you use the Authorization code grant type to configure Pega Platform as an access token provider.
    • Access token endpoint – The request URL that you can obtain to receive an access token for the client as a response after authentication. Your REST service authenticates the client by using the client ID and client secret.
    • Token revocation endpoint – The request URL that you can access. After authentication, you can revoke a previously issued access token for the client. The system returns an HTTP status code 200 as a response and all subsequent requests that the client sends by using the token result in an error.
    • JWKS endpoint – The JWKS endpoint publishes the keys that you can use to validate the signature of access tokens that Pega Platform issues as an OAuth 2.0 provider. The endpoint exposes these keys in the JSON Web Key Set (JWKS) format.
    • Token introspection endpoint (Confidential only) – The endpoint that validates the authorized access tokens and refresh tokens that the Pega Platform OAuth2.0 provider issues.
    • Userinfo endpoint – The endpoint for requesting user profile information.
  5. Optional: View and manage the client access tokens.
    • (Confidential only) To see the client secret, click View & download, and then click Download credentials in the dialog box to save the client credentials in a .txt file.
    • (Confidential only) To generate a new password for the client, click Regenerate client secret. The system revokes any active access token that it issued for the client.
    • To revoke all the access tokens for the client, click Revoke access and refresh token.
  6. In the Supported grant types section, select one or more grant types that define how an application gets an access token.
    • Authorization code – Select this checkbox to use an authorization code grant type for web and mobile apps, and then enter the following information:
      • List of redirect URIs – Enter one or more URIs that provide an authorization code that the client uses to request an access token.
      • Enable refresh token – Select this toggle to get a refresh token with an access token from the token endpoint. Use the refresh token to obtain a new access token when your previous access token has expired.
        • Set refresh token expiry from IDP session expiry – Select this checkbox to set refresh tokens issued for authorization to expire according to the identity provider (IDP) session expiration, which ignores the value set for Refresh token lifetime (in seconds) in the Token expiry section.
      • Enable Proof Key for Code Exchange – Select this checkbox to use the PKCE extension, which offers additional security in applications by providing proof to the authorization server that the authorization code belongs to the client application, and then enables the authorization server to issue an access token for that application.
      Caution: As a best practice, do not configure a loopback URL as a redirect URI. If you configure a loopback URL, at run time, the system does not validate the port number is not validated, and the client application can use any available port on the user system, including ports that you might not intend to have the system use.
    • Client credentials (Confidential only) – Select this checkbox to choose an operator or access group that your application uses to authorize the OAuth 2.0 client, and then enter the following information:
      • Operator ID – Press the Down Arrow key to assign a unique ID to the operator.
        Caution: This operator must not represent a human user who can log in to the system. The operator must be reserved for an OAuth 2.0 client that wants to access resources in Pega Platform. You can modify the scope of the operator access group to allow the client to access selective resources in Pega Platform.
    • Password credentials – Select this checkbox to allow user credentials to authorize the OAuth 2.0 client, and then enter the following information:
      • Identity mapping – Press the Down Arrow key to select an identity mapping that validates the operator credentials, and then converts them to the OAuth 2.0 access token. The default is the identity mapping data instance named pyDefaultIdentityMappingForPasswordGrant. Click the Open icon to create a new identity mapping.
      • Enable refresh token – Select this checkbox to get a refresh token and an access token from the token endpoint. Use the refresh token to obtain a new access token after your previous access token has expires.
    • SAML bearer – Select this checkbox to use a SAML assertion to authorize the OAuth 2.0 client in your application, and then enter the following information:
      • Identity mapping – Press the Down Arrow key to select an identity mapping that uses a SAML 2.0 assertion, or click the Open icon to create a new identity mapping. This action extracts user information from the SAML assertion, and then validates it to issue the OAuth 2.0 access token.
    • JWT bearer – Select this checkbox to use a JSON Web Token assertion to authorize the OAuth 2.0 client, and then enter the following information:
      • Identity mapping – Press the Down Arrow key to select an identity mapping that uses a JSON web token, or click the Open icon to create a new identity mapping. This action extracts the user information from the JSON web token (JWT) claims and validates it to issue the OAuth 2.0 access token.
  7. If Enable refresh token is selected, choose one of the following options in the Token issuance section for refreshing the token:
    • Issue once and keep until expiry – Each time the client requests a new access token, Pega Platform issues the same refresh token, with the expiration time updated to the remaining token lifetime using the value provided in the Refresh token lifetime (in seconds) field.
    • Issue a new refresh token without changing expiry – Each time the client requests a new access token, Pega Platform issues a new refresh token, and then updates the expiration time to the remaining token lifetime using the value in the Refresh token lifetime (in seconds) field.
      Note: For public clients, the system selects this option by default, and it is the only available option.
    • Issue a new refresh token and reset expiry – Each time the client requests a new access token, Pega Platform issues a new refresh token, with the expiry time reset to the value in the Refresh token lifetime (in seconds) field.
  8. In the Token expiry section, define the lifetimes for authorization code and tokens.
    1. Access token lifetime (in seconds) – Enter the time period in seconds for which an access token issued to an OAuth 2.0 client is valid. The default value is 3600 seconds.

      For Authorization code grant type, the Client registration rule form provides the access token lifetime, even though the refresh token value taken from IdP is less than the configured value in the rule form.

      For SAML and JWT bearer grant type, the access token lifetime is the minimum value of assertion validity and the access token value configured in the client registration rule form.
    2. Refresh token lifetime (in seconds) – Enter the time period in seconds for which a refresh token issued to an OAuth 2.0 client is valid. The default value is 86400 seconds.
    3. Authorization code lifetime (in seconds) – Enter the time period in seconds for which an authorization code issued to an OAuth 2.0 client is valid. The default value is 600 seconds.
    4. Access token idle timeout (in seconds) – Enter the timeout period in seconds for which the client has not renewed the token within this time. The refresh token also becomes invalid, as the renewal time exceeds the idle timeout.
  9. Configure the information returned from the Userinfo endpoint as a Userinfo token, by pressing the Down Arrow key and selecting a token profile in the User profile mapping section, in the JWT generation profile field. The default is pyDefaultUserInfoMapping, which is the JSON web token (JWT) generation profile that represents the default Userinfo token structure. To define a different JWT generation profile, click the Open icon.
  10. Click Save.
  11. To specify a proxy for your REST connector, in the Advanced configuration section, select the Use proxy checkbox, and then configure the remaining proxy parameters:
    1. In the Host field, enter the address of the proxy host.
    2. In the Port field, enter the port number.
    3. To add in the authentication details, select the Use Authentication checkbox, and then enter the following information:
      • In the User ID field, enter the user ID.
      • In the Password field, enter the password.

Related articles

OAuth 2.0 client registrationsIdentity mappingToken profile data instanceOperators

Tags

Pega Platform 8.7 Security

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

Visit the Support Center

Did you find this content helpful?

Yes
No

Want to help us improve this content?
Suggest an edit

We'd prefer it if you saw us at our best.

Pega.com is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us