Skip to main content

Table of Contents

Securing Cosmos React-UI applications


Only available versions of this content are shown in the dropdown

If your application uses a Cosmos React-UI, then it authenticates operators using one of the newer (PRAuth) types of Pega Platform Authentication schemes. Requests are typically submitted using a URL that includes an application alias, for example: https://<host>:<port>/prweb/app/Alias. For an unauthenticated user, this type of request presents a page showing a list of authentication services available for login to the application. If the user chooses Basic authentication, then the password, lockout, and CAPTCHA policies are applied by default.

Cosmos React-UI security

When using Cosmos React-UI, use the following conventions, or you will encounter errors and issues with authentication:

  • HTTPS is required if the application is marked to use Cosmos React-UI.
  • Authorized access tokens (AAT) should be marked as HttpOnly and secured using a dynamic system setting. For more information, see Creating a dynamic system setting.
  • You can customize token lifetime configurations on the OAuth 2.0 Client Registration rule form.
  • URL patterns & authentication
    • Cosmos React-UI supports only app-specific URLs and PRAuth-based authentication-schemes. For example, https://<host>:<port>/prweb/app/Alias is valid.
    • Cosmos React-UI does not support non app-specific URLs and for custom authentication and any authentication-schemes other than PRAuth. For example, URLs such as the following will cause an error: https://hostname:port/prweb/PRWebLDAP1/app/Alias.
    • If a Cosmos React-UI application is exported to higher environments, instances of OAuth 2.0 clients that are specific to the application must be included in the package.
  • API Security
    • All Cosmos React-UI service-packages must be configured to use OAuth 2.0 authentication. For more information, see OAuth 2.0 client registrations.
  • Authorization
    • An operator must have PegaRULES:PegaAPI role to perform Digital Experience (DX) and data API calls.
    • If the application uses DX API, an OAuth 2.0 Client is generated automatically when the application is saved.
  • Session management
    • It is a leading practice to set the Access group timeout as a longer time period than the Refresh token timeout. For example, the Refresh token timeout is set to 15 minutes and the Access group timeout is set to 1 hour.
    • Even if the Access group timeout is configured to be less than access token expiry, then re-authentication is required if the access token expires.
  • Custom authentication is supposed in Cosmos React-UI applications. For more information, see Configuring custom or Kerberos login authentication.
Did you find this content helpful?

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

Ready to crush complexity?

Experience the benefits of Pega Community when you log in.

We'd prefer it if you saw us at our best.

Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice
Contact us