Configuring direct authentication against an external OIDC server for Pega Infinity Mobile Client

Increase your application's securityby configuring Pega Infinity Mobile Client to authenticate mobile users directly against an external OpenID Connect (OIDC) identity provider by using the OIDC authorization code authentication flow. In this scenario, users authenticate once against an external identity provider that complies with the OIDC standard. Subsequent access to Pega Platform requires a token that comes from the OAuth 2.0 authorization layer.
Before you begin: Prepare for the configuration of the direct user authentication against an external OIDC server by performing the following tasks:
  1. Learn about client registrations. For more information, see Creating and configuring an OAuth 2.0 client registration.
  2. Learn about identity mappings. For more information, see Creating an identity mapping data instance
  3. Learn about authentication services. For more information, see Configuring a token credentials authentication service.
  4. Register your application with an external identity provider, for example, Google, and then obtain the parameters according to the list in Custom parameters for direct authentication against an external OIDC server.
  • Configure the client registration service:
    1. On the Create OAuth 2.0 Client Registration screen, enter the name of the client and a short description, and then click Create and open.
    2. In the Client credentials section, select Confidential.
    3. Click View & download, and then download the text file with client registration parameters by clicking Download credentials.
      For more information about the client registration parameters, see Custom parameters for direct authentication against an external OIDC server.
    4. In the Supported grant types section, clear any selected options, and then select the JWT bearer check box.
    5. In the Identity mapping field, define the identity mapping:
      • Select an existing JSON Web Token identity mapping, and then go to step 10.
      • Create a new identity mapping.
    6. In the Token processing profile field, specify the token processing profile:
      • Select an existing JSON Web Token token processing profile, and then go to step 10.
      • Create a new token processing profile.
      Note: Pega Platform does not automatically create IDs for operators when they attempt to log in. Pega Platform derives operator IDs from the claims that you define. Therefore, create all potential operator IDs in advance.
    7. On the token processing profile configuration screen, in the Claims validation section, define the validation parameters:
      1. In the Issuer (iss) field, enter the address of an external OIDC authentication server.
      2. In the Audience (aud) field, enter the client ID value that you obtained from the OIDC authentication server.
        Ensure that the OIDC server derives the Audience claim from the client ID value.
    8. Save the token processing profile by clicking Save.
    9. Save the identity mapping by clicking Save.
    10. Save the client registration by clicking Save.
  • Enable the mobile authentication service:
    1. In the navigation panel of Dev Studio, click Records > SysAdmin > Authentication Service.
    2. In a list of existing authentication service instances, click Mobile.
    3. In the authentication service configuration screen, select Enable this authentication service, and then click Save.
    4. Prepare and upload the app.properties file.
      For more information, see Defining custom authentication parameters for mobile apps.
    5. Generate the mobile app executable files.
      For more information, see Building mobile apps.
    Result: If you follow this procedure and configure Pega Infinity Mobile Client to authenticate directly against an external OIDC identity provider, Pega Platform ignores any settings that you configure on the mobile channel configuration page, in the Select authentication source field.