OAuth 2 - Service to service calls using delegated user identity
Hi there, I have a requirement to setup SSO with either OpenID or SAML2 with Azure Active Directory. Reusing this access token we need to get authorization to downstream REST connector calls later in the case. The idea is to propagate the delegated user identity and permissions through the request chain. For the middle-tier service to make authenticated requests to the downstream services, it needs to secure an access token from Azure Active Directory (Azure AD), "On-Behalf-Of" the user. Here’s a link explaining Microsoft’s support for the on-behalf-of OAuth2 flow: https://docs.microsoft.com/en-gb/azure/active-directory/develop/v1-oaut… Is it something achievable using OAuth 2 authentication profile in Pega 8.1 for our REST connectors ? If yes, are there any documentation or guides on how to set it up ? Best regards and thank you in advance. -Mario
By look at microsoft documentation Pega as a first application should just pass the authentication token (token A) as is to the mid-tier API and it is up to them to exchange this token A with Azure to the token B that they will use to call the second API.
So from Pega side it's only the question to obtain the token A during user authentication process (which should be covered OOTB) and then pass it to external API.