Configure OESECTOOL as test authorization server
- Last Updated: June 17, 2026
- 5 minute read
- OpenEdge
- Version 12.8
- Documentation
You can configure a PAS for OpenEdge instance to accept OAuth2 access tokens, validate JSON Web
Tokens (JWT), and convert those tokens into ABL CLIENT-PRINCIPAL
objects for use by your application. To test this functionality, you use OESECTOOL as
the authorization server communicating over HTTP; however, for production environments
use a commercial authorization server over HTTPS to ensure secure communication avoiding
potential man-in-the-middle attack.
Review test requirements
- Access to Proenv, run as administrator
- Access to PAS for OpenEdge development license to install OESECTOOL
- An installed
oepas1instance - Available ports
- 9999—OESECTOOL
- 8810—PAS for OpenEdge
- Ability to run curl commands
Start the OESECTOOL OAuth2 server (HTTP)
OESECTOOL provides a test OAuth2 authorization server that issues JWT tokens on port 9999.
- Locate the OESECTOOL
archive:
Linux
$DLC/servers/pasoe/extras/oesectool-version.zipWindows
%DLC%\servers\pasoe\extras\oesectool-version.zip - Extract the file to WRKDIR.
- Edit oesectool\conf\oesectool-oauth2.properties.
- Configure the settings, replacing
hostnamewith yourhostnameorIP address:servername=hostname general.server.name="hostname" general.query.type="https" general.query.port="9999"The
hostnamemust match all subsequent steps and token usage. - Use Proenv to start the OESECTOOL OAuth2 server on port
9999. Linux
oesectool-path/bin/oesectool.sh startoauth2server -port 9999Windowsoesectool-path\bin\oesectool.bat startoauth2server -port 9999Result
The server starts and listens on HTTP port 9999.The OESECTOOLOidc/Oauth2 Server started Https port: 9999 Process id: 10212oauth2servercan:- Issue JWT tokens
- Provide JWK public keys
- Configure with HTTPS
- Use a trusted certificate and secure port
Generate a JWT token
You access the JWK endpoint to generate a token for an existing user, user1.
After storing the token in a variable, you can use the token to authenticate with a
client application.
- Generate a token.
curl -k https://hostname:9999/jwt/user1Result
Returns a string token.
- Store the value in a token variable.Linux
token="token-string"Windows
p>set token="token-string"Result
Stores a valid JWT token for testing.
Register trusted token issuer
PAS for OpenEdge must trust the issuer (iss) in the token.You create
the CSV file to define which token domains or issuers are trusted. This tells PAS
for OpenEdge from which sources it can accept tokens.
- Create a domain comma-separated values (CSV) file with your domain entry.
Linux
Windowsecho "http://example.com ," > instance/conf/testdomains.csv
Exampleecho http://example.com , > instance\conf\testdomains.csvecho http://example.com , > instance\conf\testdomains.csvThe testdomains.csv file is created to work with the default users for
oepas1. - Run gendomreg to register the trusted domain in the ABL domain keystore.
This allows PAS for OpenEdge to accept tokens issued by OESECTOOL instead of
rejecting them as untrusted.
Linux
gendomreg instance/conf/testdomains.csv instance/conf/ABLDomainRegistry.keystoreWindows
gendomreg instance\conf\testdomains.csv instance\conf\ABLDomainRegistry.keystoreNote: If you are not already running Proenv as an administrator, restart Proenv using Run as administrator.ResultThe command completes without errors. The domain is registered in ABLDomainRegistry.keystore and available for token domain validation. PAS for OpenEdge trusts tokens issued by OESECTOOL and the issuer (
iss) in the JWT must exactly match this value.OEDomainRegistryUtil v2.0.0 - 2026-01-05 Operating in standard mode [Generate domain registry from inputFile] input file : testdomains.csv [CSV] output file : ABLDomainRegistry.keystore [binary] Created keystore file c:\OpenEdge\WRK\oepas1\conf\ABLDomainRegistry.keystore - 401 bytes
Enable OAuth2 for a single web application
You must enable authentication for the PAS for OpenEdge application using the oeablSecurity.properties file in the app-name directory structure.
- Edit oeablSecurity.properties for the web applications.
Linux:
instance/webapps/web-app-name/WEB-INF/oeablSecurity.propertiesWindows:
instance\webapps\web-app-name\WEB-INF\oeablSecurity.propertiesExample:
C:\OpenEdge\WRK\oepas1\webapps\ROOT\WEB-INF\oeablSecurity.properties - Set
client.login.model=oauth2:client.login.model=oauth2 - Save the file.
Result
OAuth2 authentication is enforced for this application upon restart.
For more information about client.login.model, see Enable ABL application authentication.
Configure JWT validation
PAS for OpenEdge uses public keys to verify token integrity.
- Edit:
oeablSecurity.properties - Add:
ResultjwtToken.keystore.type=jwk jwtToken.keystore.jwkurl=https://hostname:9999/keys- PAS for OpenEdge retrieves keys from OESECTOOL
- PAS for OpenEdge validates token signatures
- Save the file.
For secure environments:
|
- Requires trusted certificates
- Prevents man-in-the-middle attacks
Configure token validation type
Define how PAS for OpenEdge validates tokens.
- Edit:
oeablSecurity.properties - Add:
Resultoauth2.resSvc.tokenServices=jwt- PAS for OpenEdge validates tokens locally (no external calls)
- Save the file.
When using opaque tokens or OIDC:
|
- Use HTTPS in production
- Use encrypted secrets
Restart the instance
Configuration changes require a restart.
- In Proenv:
Resultspasman oeserver -I oepas1 -restart- New OAuth2 configuration is active
Test the configuration
Confirms end-to-end OAuth2 functionality.
Use the token to access the ping resource, replace the hostname and portin the URI.
Linux
|
Windows
|
For more information on the OESECTOOL utility, see OESECTOOL.