The SSO access token in PAS for OpenEdge is a base64-encoded and sealed Client-Principal. An optional Refresh token is a unique string value that is paired to one, and only one, Client-Principal token.

A Client-Principal token minimally contains these fields:

  • User-id and OpenEdge domain
  • State SSO
  • Expiration
  • Roles (as granted by the Spring Security framework’s existing behavior)
  • Scope (which supplements Roles as a mechanism to further refine authorization rules. It limits clients with certain access tokens to certain web services, before Role URL authorization is tested.)