Thank you @VinodSeraphin for putting this document together.

See more: Constellation 101

If you've been building Constellation applications using Web Embed or SDKs, you've likely encountered the challenge of managing OAuth 2.0 authentication flows. Traditionally, the "Authorization Code Grant Flow" has been the go-to for public client flows. However, it relies heavily on browser redirects or popups to an external Identity Provider (IDP). While standard you might want to try different approach.

Custom Bearer Grant Type

The Custom Bearer Grant Type evolves the authentication process by allowing the client to negotiate a Pega Infinity access token directly via a custom activity. This eliminates the need for intermediate server (that is typically needed to negotiate token with Infinity) or disruptive client-side redirects (as it is present in code auth flow).

Key Benefits:

• Seamless UX: No visible redirects or popups for the end-user.
• Simplified Architecture: Removes the need for a separate "token-negotiating" server.
• Flexibility: You define the authentication logic within a Pega Activity.

How to Enable It

To start using this feature, you need to enable it via a Dynamic System Setting (DSS):

1. Create/Update DSS: CustomAuthForPegaEmbed
2. Owning Ruleset: Pega-Engine
3. Value: true

Once enabled, you will see the "Custom bearer" checkbox in your OAuth 2.0 Client Registration records.

Configuration

Please read attached documentation in PDF. High level configuration steps:

1. Configure Authentication Activity
2. Client Integration (Web Embed or SDKs)

Important Considerations

While powerful, remember that "Custom Bearer" is not a standard OAuth 2.0 grant flow.

• It places the responsibility of authentication logic entirely on your custom activity.
• It does not offer "out-of-the-box" integration with external IDPs (like SAML or OIDC) in the way standard flows do; you must implement any necessary server-to-server validation within your activity.
• Tokens returned are standard Infinity JWTs.