You can configure a PAS for OpenEdge instance to accept OAuth2 access tokens, validate JSON Web Tokens (JWT), and convert those tokens into ABL CLIENT-PRINCIPAL objects for use by your application. To test this functionality, you use OESECTOOL as the authorization server communicating over HTTP; however, for production environments use a commercial authorization server over HTTPS to ensure secure communication avoiding potential man-in-the-middle attack.

Review test requirements

  • Access to Proenv, run as administrator
  • Access to PAS for OpenEdge development license to install OESECTOOL
  • An installed oepas1 instance
  • Available ports
    • 9999—OESECTOOL
    • 8810—PAS for OpenEdge
  • Ability to run curl commands

Start the OESECTOOL OAuth2 server (HTTP)

OESECTOOL provides a test OAuth2 authorization server that issues JWT tokens on port 9999.

  1. Locate the OESECTOOL archive:

    Linux

    $DLC/servers/pasoe/extras/oesectool-version.zip

    Windows

    %DLC%\servers\pasoe\extras\oesectool-version.zip
  2. Extract the file to WRKDIR.
  3. Edit oesectool\conf\oesectool-oauth2.properties.
  4. Configure the settings, replacing hostname with your hostname or IP address:
    servername=hostname
    general.server.name="hostname"
    general.query.type="https"
    general.query.port="9999"
    

    The hostname must match all subsequent steps and token usage.

  5. Use Proenv to start the OESECTOOL OAuth2 server on port 9999.
    Linux
    oesectool-path/bin/oesectool.sh startoauth2server -port 9999
    Windows
    oesectool-path\bin\oesectool.bat startoauth2server -port 9999

    Result

    The server starts and listens on HTTP port 9999.
    Oidc/Oauth2 Server started
            Https port:  9999
            Process id: 10212
    The OESECTOOL oauth2server can:
    • Issue JWT tokens
    • Provide JWK public keys
    Required for production systems
    • Configure with HTTPS
    • Use a trusted certificate and secure port

Generate a JWT token

You access the JWK endpoint to generate a token for an existing user, user1. After storing the token in a variable, you can use the token to authenticate with a client application.

  1. Generate a token.
    curl -k https://hostname:9999/jwt/user1

    Result

    Returns a string token.

  2. Store the value in a token variable.
    Linux
    token="token-string"

    Windows

    p>
    set token="token-string"

    Result

    Stores a valid JWT token for testing.

Register trusted token issuer

PAS for OpenEdge must trust the issuer (iss) in the token.You create the CSV file to define which token domains or issuers are trusted. This tells PAS for OpenEdge from which sources it can accept tokens.

  1. Create a domain comma-separated values (CSV) file with your domain entry.

    Linux

    echo "http://example.com ," > instance/conf/testdomains.csv
    Windows
    echo http://example.com , > instance\conf\testdomains.csv
    Example
    echo http://example.com , > instance\conf\testdomains.csv

    The testdomains.csv file is created to work with the default users for oepas1.

  2. Run gendomreg to register the trusted domain in the ABL domain keystore. This allows PAS for OpenEdge to accept tokens issued by OESECTOOL instead of rejecting them as untrusted.

    Linux

    gendomreg instance/conf/testdomains.csv instance/conf/ABLDomainRegistry.keystore

    Windows

    gendomreg instance\conf\testdomains.csv instance\conf\ABLDomainRegistry.keystore
    Note: If you are not already running Proenv as an administrator, restart Proenv using Run as administrator.
    Result

    The command completes without errors. The domain is registered in ABLDomainRegistry.keystore and available for token domain validation. PAS for OpenEdge trusts tokens issued by OESECTOOL and the issuer (iss) in the JWT must exactly match this value.

    OEDomainRegistryUtil v2.0.0 - 2026-01-05
    Operating in standard mode
    
      [Generate domain registry from inputFile]
    
    input file      : testdomains.csv    [CSV]
    output file     : ABLDomainRegistry.keystore    [binary]
    
    Created keystore file c:\OpenEdge\WRK\oepas1\conf\ABLDomainRegistry.keystore - 401 bytes

Enable OAuth2 for a single web application

You must enable authentication for the PAS for OpenEdge application using the oeablSecurity.properties file in the app-name directory structure.

  1. Edit oeablSecurity.properties for the web applications.
    Linux:
    instance/webapps/web-app-name/WEB-INF/oeablSecurity.properties

    Windows:

    instance\webapps\web-app-name\WEB-INF\oeablSecurity.properties

    Example:

    C:\OpenEdge\WRK\oepas1\webapps\ROOT\WEB-INF\oeablSecurity.properties
  2. Set client.login.model=oauth2:
    client.login.model=oauth2
  3. Save the file.

Result

OAuth2 authentication is enforced for this application upon restart.

For more information about client.login.model, see Enable ABL application authentication.

Configure JWT validation

PAS for OpenEdge uses public keys to verify token integrity.

  1. Edit:
    oeablSecurity.properties
  2. Add:
    jwtToken.keystore.type=jwk
    jwtToken.keystore.jwkurl=https://hostname:9999/keys
    Result
    • PAS for OpenEdge retrieves keys from OESECTOOL
    • PAS for OpenEdge validates token signatures
  3. Save the file.
Production required

For secure environments:

jwtToken.keystore.jwkurl=https://hostname:9999/keys
  • Requires trusted certificates
  • Prevents man-in-the-middle attacks

Configure token validation type

Define how PAS for OpenEdge validates tokens.

  1. Edit:
    oeablSecurity.properties
  2. Add:
    oauth2.resSvc.tokenServices=jwt
    Result
    • PAS for OpenEdge validates tokens locally (no external calls)
  3. Save the file.
Optional (Production recommendation - Remote validation)

When using opaque tokens or OIDC:

oauth2.opaqueToken.introspectionUri=http://auth-server/introspect
oauth2.opaqueToken.clientSecret=secret
  • Use HTTPS in production
  • Use encrypted secrets

Restart the instance

Configuration changes require a restart.

  1. In Proenv:
    pasman oeserver -I oepas1 -restart
    Results
    • New OAuth2 configuration is active

Test the configuration

Confirms end-to-end OAuth2 functionality.

Use the token to access the ping resource, replace the hostname and portin the URI.

Linux

curl -k -H "Authorization: Bearer $token" http://hostname:8810/rest/_oepingService/_oeping

Windows

curl -k -H "Authorization: Bearer %token%" http://hostname:8810/rest/_oepingService/_oeping
A successful response confirms that the instance accepted and validated the OAuth2 token.
Note: This example does not implement https, because https is not required in a test system.

For more information on the OESECTOOL utility, see OESECTOOL.