Skip to main content

OAuth 2.0 authentication for email providers

Suggest edit Updated on April 6, 2022

Secure your email integration with third-party email providers by storing your access tokens in a Pega OAuth 2.0 authentication profile. With your email provider access tokens stored, your application can send and receive emails from Microsoft Graph accounts, and send emails from Google Mail accounts.

For details on how to configure an OAuth 2.0 authentication profile, see Configuring an OAuth 2.0 authentication profile.

The following sections specify the information that you need from your email provider before creating an OAuth 2.0 authentication profile in Pega Platform:

Microsoft Graph for inbound and outbound emails

Your application must have an access token to call Microsoft Graph. The access token specifies the permissions that your application needs so that it can use Microsoft Graph. You obtain the access token by registering your application in the Microsoft Azure portal. For more information, see your Microsoft Azure developer documentation.

Make sure that you grant the appropriate permissions in the application that you registered in the Microsoft Azure portal. The permissions that you grant depend on your email configuration in Pega Platform, as shown in the following table:

Configuration choicesMail.SendUser.ReadMail.ReadWrite
Use Microsoft Graph to send emails from Pega Platform.
Use Microsoft Graph to receive emails in Pega Platform.
Use Microsoft Graph to both send and receive emails in Pega Platform.
Important: Because the Microsoft Graph API imposes a limit on the allowed attachment size, Pega Platform uses the Office 365 Exchange Online API for outbound emails when the attachment size exceeds 3MB. To avoid issues, enable the following permissions for Office 365 Exchange Online API in Microsoft Azure:
  • Mail.Send
  • Mail.ReadWrite

OAuth 2.0 authentication profile configuration for Microsoft Graph

After you register you application with Microsoft Azure, you create an OAuth 2.0 authentication profile with the following required details:

  • Client ID
  • Client secret from Microsoft Azure
  • OAuth 2.0 token endpoint, for example, https://login.microsoftonline.com/{tenantid}/oauth2/v2.0/token
  • Tenant ID

    You get the tenant ID when you create a new tenant in the Microsoft Azure portal.

Note: Microsoft Graph supports the Client credentials and Password credentials grant types.

Google Mail for outbound emails

You can send emails from your Google Mail account in Pega Platform by using an OAuth token that is configured with a JSON Web Token (JWT).

To configure the keystore and JWT profile in Pega Platform, obtain the following information from your Google service account for email:
  • Download the key pair in the .p12 format.
  • Save the password for the key pair.
  • Obtain the alias of the key pair by using $keytool -v -list -keystore <.p12 file>.

    Take note of the alias in the property Alias name in the output.

For more information, see your Google developer documentation.

Custom claims for JWT profile configuration

To create a JWT profile in Pega Platform, see Creating a generation JSON Web Token profile. In addition to configuring the standard registered claims, be sure to include the following custom claims in the Custom claims section of your JWT profile.

OAuth 2.0 authentication profile configuration for Google Mail

After you create the JWT bearer profile, create an OAuth 2.0 authentication profile.Note: The Client secret is optional. For more information, see your Google developer documentation.

  • Previous topic Configuring inbound email in Dev Studio
  • Next topic Configuring certificate-based JSON Web Token authentication scheme for Microsoft Graph
Did you find this content helpful? YesNo

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

We'd prefer it if you saw us at our best.

Pega.com is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us