I created a new Service Rest and caller will pass OIDC token in the header. Do you know how to verify the OIDC token?
Currently there is an OpenID Connect Authentication Service “LoginOAuth” used to login (can use it to login successully), I use it as the “Authentication Service” in the service package of this Service Rest. But when I invoke the Service Rest in postman, it said “401 Unauthorized”. In the log, i can see following errors:
inside processGeneratedJsonWebToken
Setting JWSVerifierFactory with PegaConfigurableJWSVerifierFactory instance
Parsing generated JWT - “the passed in token”
jwt is signed JWT. So validating signature Error while processing JWT Cannot invoke “com.pega.platform.securitycore.jwt.KeystoreData.getPublicKey(String)” because “keystoreData” is null Exception occurred while validating access token: HTTP 401 Unauthorized
The 401 is likely caused by JWT signature validation failing because Pega cannot resolve the public key from the configured OIDC authentication service. The error keystoreData is null usually indicates that the auth service is missing or misconfigured for token verification, even if it works for browser login. Please verify the IdP metadata/JWKS, issuer, and key configuration in the OpenID Connect authentication service used by the service package.
I recommend decoding your JWT using a tool like jwt.io and carefully review the below contents
check the header for the kid (key ID)
the payload for the iss (issuer) and aud (audience) values, as these must align with your configuration.
Then check the iss value and open the corresponding JWKS endpoint (for example, https://<issuer>/.well-known/jwks.json) in a browser to inspect the available public keys. Verify that the JWKS response includes a key with the same kid as your token’s header; this ensures that Pega can locate the correct public key to validate the token signature.