We have a requirement to secure a Service REST by using OAuth2. Instead of using Pega as the OAuth2 provider, an external OAuth2 Provider is to be used. This external OAuth2 Provider is expected to provide a Bearer Token in the format of a signed JWT.
On the Service Package side, should the Authentication Type be:
OAuth2.0 or
Custom
It’s my understanding that OAuth 2.0 is used when Pega is used as the OAuth2 Provider. Can it still be used when an external provider is used? If so, what needs to be set up?
Secondly, what the possible way so trace/troubleshoot OAuth2 for Service REST?
David, one more question. I know I can use the Token Profile for processing purpose to map the claims in the body. What about pulling values from the header? E.g., "kid’ is sent in the header of the JWT, and I would like to pull that out. Can this be accomplished with the Token Profile mapping?
While the Authentication activity is being executed, how can I identify the Service-REST rule being executed? I understand that I can get the Request Path Info from the Requestor and use that to match to a Service-REST. However, knowing exactly which Service-REST is being invoked will be great.
The reason I would like to know about the specific Service-REST being invoked is that there might be a number of Service-REST rules sharing the same Service Package. Each Service-REST (perhaps down to its method) might have its own scope/permission.
hi @TerenceY0215 !! sorry for the latency with my answers
about the first one, configure the Header as JSON field located on Advanced mapping section of your token profile. You shoud enter the clipboard property that the decoded header is assigned to. Then you could deserialize this string into a clipboard page usint a JSON data transform in order to get any info from JWT header, like kid.
about the second one, you should try to manage different service packages to associate your REST services, based on functionality, business domain, or wathever, and then execute all REST services for same service package under same authorization level. If this is not possible, and you need to manage different authorization leve for each request, another approach could be manage the authorization level based on a JWT claim gettinf from payload. If you have to peform your requirement as is, there is no way to get the Service-REST rule (at least i don’t know). Anyway, you may be able to get request URL information by reading http headers in authentication activity.
