advice on implementing OAuth 2.0 using the client credentials flow in pega 7.3.1

matthewk2081 · February 9, 2022, 5:26pm

I have a requirement to access an external web service from pega 7.3.1 using OAuth 2.0 with the client credentials flow. Anyone have any experience of this would like to share best practice?

I can see that later versions of pega allow more configuration when creating an authentication profile ie the connection to the token provider

matthewk2081 · February 24, 2022, 12:24pm

@matthewk2081 ok so I have made some progress on this - the last challenge - hopefully is configuring the O Auth 2.0 Authentication profile. I was hoping to be able to populate the secret value using Global Resources Settings but it appears that field doesnt support that syntax Pegasystems Documentation.

What is an alternative way if hard coding the value is not an option?

RobertS16860954 · June 8, 2022, 2:45pm

@matthewk2081 I am researching how to dynamically pass in the client secret, as we don’t want devs to maintain/access the key. Have you found a way to use GRS or other dynamic approach?

matthewk2081 · June 16, 2022, 8:12am

@robs1550 Nope, I raised an SR with Pega and am yet to receive a response

MarijeSchillern · June 16, 2022, 10:25am

Hello @matthewk2081. I checked to try to find the SR you reference. Is it the one you logged on 28 February?

SR-113418/ INC-213581 (security issue in O Auth 2.0 authentication profile)

I have checked the investigation that was carried out:

On March 7th the support engineer informed you that this is an enhancement request

FDBK-86037 was created on your behalf, and this information was passed back to you, which you acknowledged.

Details of the enhancement request for our engineering team to consider for a future version:

“Request is for the client secret field for an OAuth 2.0 Authentication profile to support Global Resources settings (ref: Pegasystems Documentation) or a suitable workaround. Currently the client secret would have to be hard coded which from a security standpoint is unacceptable is preventing us from using this functionality.”

Therefore I believe we have answered your question. Feel free to follow up the FDBK with your Pega AE if required.

I have linked it to this forum question for visibility.

DebashisHere · February 17, 2023, 5:20pm

@MarijeSchillern

Looks like this is not present in Pega v8.8, when this will be taking care?

MarijeSchillern · February 20, 2023, 10:26am

@DebashisHere please follow up with your AE about any existing Enhancement Requests.

Conversation		Replies	Views
Authentication Profile with "Client_Credentials" Grant Type General lead-system-architect , all-products , pega-infinity	4	59	January 16, 2026
OAuth secret storage and rotation General lead-system-architect , security , partners-and-integrations , 8-6-3	1	216	November 4, 2022
How to customize client secret on Authentication Service ? General pega-platform , senior-system-architect , system-administration , java-and-activities , healthcare-and-life-sciences , 24-1-1	5	114	September 2, 2025
Create OAuth 2.0 access token to call Pega API Knowledge Share pega-delivery-leader , sales-consultant , sales-manager , senior-system-architect , business-architect , solutions-consultant , solutions-consulting-manager , solutions-engineer , system-architect , lead-system-architect , team-lead , ui-solutions-developer , security , case-management , data-integration , pega-cloud , enterprise-application-development , dx-api , data-management , data-model , financial-services , manufacturing , government , insurance , cross-industry , other-industry , consumer-services , communications-and-media , healthcare-and-life-sciences , all-products , pega-infinity , dev-designer-studio	19	2427	March 10, 2026
OAuth2.0 authention for Service REST fails General senior-system-architect , security , case-management , data-integration , cross-industry , 8-8-1	6	1172	April 25, 2023

advice on implementing OAuth 2.0 using the client credentials flow in pega 7.3.1

Related topics