JWT Processing using pxProcessJWT - Custom Authentication
Hi,
For a new project we are looking into the Pega rules used for processing an already externally generated Json Web Token (JWT).
From Pega perspective we provide a processing-service where the external party authorizes using the JWT which we want to check using the Tokenprofile and the related activity pxProcessJWT
So far I found the following help link.
My Question:
What and where should we configure this activity for checking the JWT validity? In the custom authentication part on the service Package?
Pega version 7.3.1
Hi,
Thnx for your response. The problem we run into is the following:
We configured the following:
- Custom authentication service
- Custom authentication activity which calls the JWT processing activity * Required input, Token profile + JWT string.
The activity requires a JWT string param which normally comes from the header. When we test our service with for example SoapUI we dont see a header comming into the activity to perform the validation.
We added a custom Authorization header in SoapUI with "bearer !@#!#$!ASD.. etc"
Please provide a solution.
Kind regards,
Joost
Hi Joost,
One more thing you can probably try ( if not done already) is to use the httpServletRequest object in your custom activity. You can use the getHeader("Authorization") or something to get the bearer token as the value. This can fetch you the JWT token inside the bearer authentication scheme.
Thanks! We were playing around and used the following code to get the authorization header in a property-step.
@java("((javax.servlet.http.HttpServletRequest)tools.getRequestor().getRequestorPage().getObject(\"pxHTTPServletRequest\")).getHeader(\"Authorization\")")
Do you have PEGA Sales Automation in your application stack? There is an OOTB activity - OutlookAddinAuth which is used for PEGA Outlook integration. That activity will give you an example of how to process JWT token and create operator record. You still need to create a token processing profile and trust store to validate the token.
Hi,
We have a similar requirement, and we do the authentication in the Service activity Step #1 . If the validateJWT function returns false, it means the token was not validated, and you can then return an "Ïnvalid Token" error back to the consumer.