Hi.
We run all our integrations via a custom middleware. Pega will receive as service provider, next to the payload, also an access token (JWT) which must be validated against an external auth provider.
I have prepared a token profile (JWT) for processing the signature validation via a keystore (configured JWK with external keystore URL). My idea is now to configure a authentication service of type custom on the service package which will trigger the processing of the configured token profile. But i cannot find a OOTB authentication service of type custom (or any examples) to trigger this. Also in the engine API documentation I have not found any hints how this could be triggered in a authentication service of type custom.
Have somone implemented this or can give me a hint, how this can be established?
Regards, Matthias
@MatthiasGuenther
Hi Matthias,
I had a look on the response of Dion, i was clear, i just have a question.
How to trigger the pxProcessJWT from the main activity. I mean is there another OOTB we can use or should we create our own, if it’s the case, is it just about adding the profile name + jwtString, or there is something else to be done ?
Thank you for your response
@AhmedAttia We do have the same requirement and I am checking other articles but couldn’t able to get clear picture how to implement it. Do you got through this implementation? Please provide your inputs here.
@VamshiKrishn_Nookala @AhmedAttia
It is as simple as you can imagine. In your custom authentication activity just read the token from the header with a java statement like this where the header field “Authorization” contains the token:
ClipboardPage pg = tools.getRequestor().getRequestorPage();
com.pega.pegarules.priv.authentication.RequestFacade reqFacade =
(com.pega.pegarules.priv.authentication.RequestFacade) pg.getObject(“pxHTTPServletRequest”);
requestAuthorizationHeader = reqFacade != null ? reqFacade.getHeader(“Authorization”) : null;
After that you can just call the pxProcessJWT activity on a temporary clipboard page with the name of your profile and the token from above java code. Important: Remove "Bearer " from the token before, if it is a standard bearer token.
Regards, Matthias
@MatthiasGuenther Dear Matthias, Thanks for the reply. I am trying to implement the same. But not able to succeed.
I had made my service REST as custom and implemented custom authentication with an activity where I am parsing the Bearer token passed in the header and then passed it to processJWT with Token Profile.
In the Token Profile, I had given my “IDp” Certificate URL.
And in the Custom Authentication service, I had mentioned to authenticate externally. i.e., “Source of operator credentials” to “use Externally stored Credentails”.
Can you please help me where I am missing in the above configurations.
@VamshiKrishn_Nookala
In the token profile you should start with the mimum setup as follows:
In the claims validation just configure the issuer (iss). Here it is not the IDP certification url (something like this, if you use openid connect: https://<>/auth/realms/default/protocol/openid-connect/certs). It should be something like this https://<>/auth/realms/default, depends on you IdP. You can check this by writing you token string to the pega log and then check it here https://www.jwt.io/.
Secondly under security configure signature validation + asymetric and a truststore. The truststore you have to create with your IdP cert URL.
This should work then.
Regards, Matthias
