Skip to main content

This content has been archived and is no longer being updated. Links may not function; however, this content may be relevant to outdated versions of the product.

Support Article

Exception while creating OAuth2 client

SA-54259

Summary



User is having Pega 7.3.1 and they are using OAuth 2.0 authentication profile in a Connect-REST call.

User has selected "Client Credentials" grant type in the authentication profile and have checked this grant type option in OAuth 2.0 Provider rule form. But user has selected "Send Client credentials" option as "Post body" and "Send Access Token" option as "Authorization header".

The access endpoint token in OAuth 2.0 provider rule form is set as "https://xxxxx-xxx.apigee.net/oauth/client_credential/accesstoken" (that is,the access endpoint token URL is configured without "grant_type=client_credentials" as query string parameter).

In this case Pega is not automatically sending "grant_type=client_credentials" as query string parameter although "Client Credentials" grant type option is selected in the OAuth 2.0 provider and authentication profile rule form. Due to this reason Connect-REST call fails and the service returns the error complaining about missing grant type.


Error Messages



2018-03-13 15:52:00,378 [p-apr-8080-exec-1129] [ STANDARD] [ ] [ PegaSA:01.01.01] (client.oauth2.OAuth2ClientImpl) DEBUG xxxxx-xxx.xxxxxx.xx|xxx.xxx.xx.xxx|Rule-Connect-REST.Peg-Int-AccntLkup-AccountLookupAPI.AccountLookup operatorA - Token endpoint invocation results:
Status code = 400
Status text = Bad Request
Content type = null
Content size = 73

2018-03-13 15:52:00,378 [p-apr-8080-exec-1129] [ STANDARD] [ ] [ PegaSA:01.01.01] (client.oauth2.OAuth2ClientImpl) DEBUG xxxxx-xxx.xxxxxx.xx|xxx.xxx.xx.xxx|Rule-Connect-REST.Peg-Int-AccntLkup-AccountLookupAPI.AccountLookup operatorA -
Response received : {"ErrorCode" : "invalid_request", "Error" :"Required param : grant_type"}


Steps to Reproduce

  1. Create a Connect-REST call that uses OAUth2.0 authentication type.
  2. In the OAuth 2.0 Authentication Profile and OAuth 2.0 Provider ruleform, select Grant Type as "Client Credentials".
  3. Select "Send Client credentials" option as "Post body" and "Send Access Token" option as "Authorization header" in OAuth 2.0 provider rule form.
  4. Invoke the Connect-REST call from an activity.


Root Cause



An issue in the custom application code or rules is identified as root cause.

Pega sends Access Token Parameters to the Access Token Endpoint through Request Header or POST request body. This is per the example of Token Request provided in RFC 6749. The OAuth 2.0 provider in this case was expecting Pega to send the grant_type as a query string parameter instead causing the issue. Pega currently OOTB doesn't support sending grant_type as query string parameter while retrieving the Access Token.

Resolution



Follow either of the below two approaches to resolve the issue:
  • Either explicitly mention grant_type as query string parameter in the Access Token Endpoint URL mentioned in Pega OAuth 2.0 provider rule form (for example: https://xxxxx-xxx.apigee.net/oauth/client_credential/accesstoken?grant_type=client_credentials ).
  • Or modify OAuth2Policy on provider side so that it also accepts parameters in header or post body instead of as query string (example shown below).
<OAuthV2 name="GenerateAccessToken">
  <!-- This policy generates an OAuth 2.0 access token using the client_credentials grant type -->
  <Operation>GenerateAccessToken</Operation>
  <!-- This is in millseconds, so expire in an hour -->
  <ExpiresIn>3600000</ExpiresIn>
  <SupportedGrantTypes>
    <GrantType>client_credentials</GrantType>
  </SupportedGrantTypes>
  <GrantType>request.queryparam.grant_type</GrantType>  <!-- change to request.header.grant_type -->
  <GenerateResponse/>
</OAuthV2>

Tags:

Pega Platform 7.3.1 Pega Platform Data Integration

Published July 23, 2018 - Updated October 8, 2020

Was this useful?

0% found this useful

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

Visit the Collaboration Center

We'd prefer it if you saw us at our best.

Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice