Table of Contents

Securing Cosmos React-UI applications


Only available versions of this content are shown in the dropdown

If your application uses a Cosmos React-UI, then it authenticates operators using one of the newer (PRAuth) types of Pega Platform Authentication schemes. Requests are typically submitted using a URL that includes an application alias, for example: https://<host>:<port>/prweb/app/Alias. For an unauthenticated user, this type of request presents a page showing a list of authentication services available for login to the application. If the user chooses Basic authentication, then the password, lockout, and CAPTCHA policies are applied by default.

Cosmos React-UI security

When using Cosmos React-UI, use the following conventions, or you will encounter errors and issues with authentication:

  • HTTPS is required if the application is marked to use Cosmos React-UI.
  • Authorized access tokens (AAT) should be marked as HttpOnly and secured using a dynamic system setting. For more information, see Creating a dynamic system setting.
  • You can customize token lifetime configurations on the OAuth 2.0 Client Registration rule form.
  • URL patterns & authentication
    • Cosmos React-UI supports only app-specific URLs and PRAuth-based authentication-schemes. For example, https://<host>:<port>/prweb/app/Alias is valid.
    • Cosmos React-UI does not support non app-specific URLs and for custom authentication and any authentication-schemes other than PRAuth. For example, URLs such as the following will cause an error: https://hostname:port/prweb/PRWebLDAP1/app/Alias.
    • If a Cosmos React-UI application is exported to higher environments, instances of OAuth 2.0 clients that are specific to the application must be included in the package.
  • API Security
    • All Cosmos React-UI service-packages must be configured to use OAuth 2.0 authentication. For more information, see OAuth 2.0 client registrations.
  • Authorization
    • An operator must have PegaRULES:PegaAPI role to perform Digital Experience (DX) and data API calls.
    • If the application uses DX API, an OAuth 2.0 Client is generated automatically when the application is saved.
  • Session management
    • It is a leading practice to set the Access group timeout as a longer time period than the Refresh token timeout. For example, the Refresh token timeout is set to 15 minutes and the Access group timeout is set to 1 hour.
    • Even if the Access group timeout is configured to be less than access token expiry, then re-authentication is required if the access token expires.
Did you find this content helpful?

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.