Close popover
Oliver Falkenberg (Falko)
Sr. System Architect
Pegasystems Inc.
Falko Member since 2017 1 post
Posted: September 19, 2018
Last activity: September 20, 2018

REST connector with OAuth 2.0 and JWT Authentication fails

Currently I'm developing a new REST connector. For this I have to define a new Authentication and create a new OAuth provider using the REST integration wizard in developer studio (Pega 8).

The API I have to access utilizes a JWT (JSON web token) based authentication. So every API request must include a JWT inside a request header. This happens in conjuction with an implementation of OAuth2 using a HMAC-SHA256 algorithm.

The Authentication and request process I have to follow is like:

  1. Construct a JWT using several (custom) fields, including OAuth fields.
  2. Call a authorize URI with the JWT.
  3. Request will be redirected to Pega redirect_uri with parameter 'code' in the query string.
  4. This code has to be used to construct another JWT (with the 'code' and 'grant_type="authorization_code"' fields)
  5. POST to access token URI with the JWT.
  6. The response will contain an access_token.
  7. This token has to be used to construct another JWT (with the 'authorization' field)
  8. Finally the Web API can be called with the JWT.
I'm not sure if this whole process and all the requirements can be covered by Pega 8 (Infinity) OOTB.
Currently I'm facing several problems. After configuring the connector and the OAuth provider (see parameters below) and trying to connect I get back an error message from the API like this:

  "errors": [
      "title": "unauthorized_client",
      "id": "XXX",
      "meta": {
        "server-time": 123
      "errorCode": "unauthorized-client",
      "status": 401,
      "detail": "No definition of jwt found in header or query string."
  "error_description": "No definition of jwt found in header or query string.",
  "error": "unauthorized_client"
I'm pretty sure that the credentials I've entered (client ID and secret key) are correct. So I can see possible reasons for this error here:
  1. The encryption does not use the HMAC-SHA256 algorithm. Unfortunately I can't see where I could change this in the setup.
  2. There will be not JWT (token) generated in the header of the request (should be done automatically I think).
  3. Pega 8 does not support the process flow mentioned above.
Here are some more details regarding the (most important) parameters I've entered so far:
  • No special definition of a header (assuming that this will be generated automatically by Pega)
  • Authentiction scheme: OAuth 2.0
  • OAuth provider details:
    • Grant types: Client credentials AND Authorization code
    • All three code and token endpoints (URI's)
    • Send credentials as: POST
    • Send access token as: Authorization header
  • Grant type: Authorization code
  • All four client information fields
  • Additional endpoint parameter: response_type = code
What I also tried is to change the Grant type to "Client credentials". In this case I can see the following error message (even when manually re-entering the redirect-URI):
Caught Exception while creating OAuth2 client

Unable to obtain access token for client details in authentication profile configured for connector. Please check the logs for more details.

Access token endpoint invocation failed : {ErrorMessage=Response status : 307 Moved Temporarily, statuscode=307}

I checked the according endpoints but they all seem to be available but this is currently under clarification.

So it would be great if anybody with some REST, OAuth2 and JWT experience could comment on this or share some ideas.

Low-Code App Development Enterprise Application Development Dev/Designer Studio Data Integration Security
Moderation Team has archived post,
Close popover This thread is closed to future replies. Content and links will no longer be updated. If you have the same/similar Question, please write a new Question.