We came to know that pega does not support ootb to refresh the token in OpenID connect. Hence decided to make exclusive call to idp , just by passing client_id,secret ,grant_type and refresh token in token endpoint url
Issue #1 :
could observe below error while hitting token endpoint url
com.pega.pegarules.pub.services.OutboundMappingException: Could not acquire fresh access token
What could be reason behind this error? Attached stack trace
Thanks for your response. yes, i need to use refresh token for subsequent processing.
Use case: Pega invokes IDP for token and IDP shares token for which life team is 10 mins. Pega has to intiate refresh call to IDP by sending parameters(client id,secret,refresh_token and grant_type) in raw format(not sure of encoding method/algorithm) that pega uses.
by default, pega stores this in pr_data_access_token table in endoded format . Need help in decrypting the refresh token stored in pr_data_access_token table.
Please suggest here to acheive this requirements. Thanks !!
Please note : INC-141371 is raised with GCS team for this issue.
If you want to use the same access token in subsequent REST calls, You can create an OAuth2 auth profile with authorization code grant type and use it in the connector. Same combination of scopes should be used (same order).Platform refreshes access token if its expired by the time you call the connector (if refresh token is returned in the initial call by IDP). Refresh token will not be available in plain text format for application layer.
You can also refer to the below article on how to use this OAuth2 profile at runtime for connecting external web components protected by OAuth2.
Its of grant_type as 'Refresh token' string and refresh token should be in plain text format. Couple of questions
1. As IDP team is expecting grant_type as refresh token string, if i call idp for refresh token by hard coding above expeted parm with oauth profile as grant type , getting below error evenif i check 'use if refresh token available' checkbox
com.pega.pegarules.pub.services.OutboundMappingException: Could not acquire fresh access tokem
what could be the work around to meet this requirement?
2. Does Platform refreshes the token by default? The reason behind this question is that we could see session is not ending even after token expires, just that its not calling idp. If yes, its not satifying oru client's security requirements of having long session