To mitigate client-side security holes, poor client application code security, and man-in-the-middle attacks, it is essential to limit the window of time that the SSO tokens handled by clients can be used. Using small windows of time requires the ability to transparently refresh an SSO token with a new expiration time. The refresh of an SSO token requires that only the authenticated user has the knowledge that the SSO token shared with the SSO token issuer. This ensures that the SSO token issuer can validate that only the authenticated user can obtain a refreshed SSO token.

The OE SSO token refresh provides a client with the ability to refresh an expired OpenEdge Native SSO token. The implementation intercepts a web application relative-URI, validates the client’s refresh token, and, if successful, re-issues a new OpenEdge Native SSO token with a given lifetime.

OE SSO Token Refresh Properties

Property Name Data Type Default Value Range Description
OESSO.require.https boolean true true | false

true sets the requirement for all SSO operations to require a client request to be made by using the HTTPS URL scheme.

false allows HTTP (not recommended for operating a secure web application ).

This property is used to set the property OESSORefreshFilter.refreshSecure
OESSO.error.detail integer 1

0 (none)

1 (terse)

2 (debug)

Controls the amount of error detail returned to a client for all SSO operations. The default (0) meets security best practices in returning little of value a hacker can make use of. But it does not supply an administrator or end-user with useful information for problem solving. Higher levels provide more information to administrators for problem resolution, but can also provide information usable by a hacker to attack your application.

OESSORefreshFilter.refreshURL string /static/auth/ token viable relative URI

Sets the relative URI that a client will use to execute a refresh operation for an expired OE SSO token. The property's value may not be blank or in any of the following URI spaces:

  • /apsv
  • /soap
  • /rest
  • /web
OESSORefreshFilter.refreshURLOption string refresh { refresh }

The URL query option name that contains the type of token operation requested by the client.

For example: https://myauthservice/statis/ auth/token?refresh
OESSORefreshFilter.ssoRefreshClientType string

*

(every client type)

 Java RegEx pattern

Adds the ability to require the HTTP request's User-Agent: header to contain a specific value as defined by a Java RegEx pattern. The default "*" value disables User-Agent: header checking.
OESSOTokenManager.ssoRefreshDeltaTime integer

3600

(1 hour)

 1 n seconds

Controls the amount of time, in seconds, that a refreshed OE SSO token will remain valid before it expires and must be refreshed again.
OESSORefreshFilter.refreshErrorDetail integer 0 0-2

Controls the amount of error detail returned to a client during the OE SSO token refresh process.

This property is normally set using the OESSO.error.detail property to keep error detail information level consistent across different SSO process operations. The property's value may be explicitly set if the OE SSO token refresh errors should return a different amount of error information than other SSO

operations.
OESSORefreshFilter.refreshSecure boolean true true|false

Used to control the requirement for HTTPS requests from the client while refreshing an OE SSO token.

This property is normally set using the OESSO.require.https property to keep the requirements for using HTTPS consistent across the different SSO process operations.This property may be explicitly set independently if the requirement for HTTPS is different from other SSO operations.