Simple steps to enable OAuth for your Pega REST service

In this blog, let's create a REST service in Pega that is protected by OAuth. A precondition is that you should have a fundamental understanding of OAuth. To know how OAuth works, you can go through this blog post - OAuth - Open Authorization Basics

We assume you have already created a REST web service and now wish to implement OAuth authorization for it. Let's consider a Customer REST service as an example. The GET method in this service allows you to retrieve customer data by supplying the customer ID as a query parameter.

To activate OAuth for this service, we need to follow the steps outlined below.

1. Enable OAuth Authentication type in Service Package.

2. Create OAuth Client Registration Rule and download the OAuth setting file.

3. Configure REST service detail and OAuth detail in Postman to call the API.

Let's go through each of these steps in detail.

Enable OAuth Authentication type in Service Package

Each REST service in Pega is part of a Service package. The service package rule includes settings for Authentication. Once you configure an authentication type in the service package, you need to provide the same authentication details when calling any service within that package.

In service package set the authentication type as OAuth 2.0

Save service package rule with this configuration.

Create OAuth Client Registration Rule and download the OAuth setting file

Purpose of this rule to register the caller of the REST service with OAuth provider. In this case REST service is developed in Pega, and Pega is acting as OAuth provider. In other words, if some other application calls the service, then Pega will validate the OAuth details and grant the access if OAuth details provided by caller is correct.

After clicking on above option, Pega will create an OAuth Client Registration rule. This rule has a lot of configurations, some of them are provided by Pega and you cannot change them.

In this rule at the bottom, you'll find an option labeled Supported Grant type. Here, you should provide an operator ID that has access to application rules. Typically, a dedicated operator is created for this purpose, but for testing, you can specify any operator with application access for which the REST service is developed.

Next, click the View & download button to obtain the OAuth details. Save this file in a familiar location, as it contains important settings required for the next step.

Configure REST service detail and OAuth detail in Postman to call the API

With the above setup, the REST service is now configured with OAuth. In this step, we'll call the service using the Postman API testing tool. You can also use other tools like API Dog or SOAP UI for this task. In this blog, we'll use Postman. The configuration in Postman is divided into two categories.

API configuration.

OAuth configuration.

API Configuration involves URL, API Method, Query Parameters or another request parameter (optional as required).

For OAuth configuration, click on Authorization tab and configure below properties. Open the Client registration file which saved in the first step of the configuration. All details for OAuth needs information from this file.

Type - set as "OAuth 2.0"

Access Token URL

Client ID

Client Secrete

Client Authentication- set as "Send As basic auth header"

Click on "Get New Access Token" button to generate a new Jason Web Token to call the API. If we see a new token after clicking on this button, then we are all set to call the REST service using OAuth 2.

If you want to try this API with OAuth, pls drop us a message or comment below. We can help you configure all these steps over the call. If you have any suggestion or question, do write us.