Validating an access token is an essential step in the OAuth2 resource server authentication and authorization processes. All access tokens must pass the payload requirements, data integrity signature, and (optionally) expiration checks. If any of these checks fails, then the client’s HTTP request is rejected. Validation requires a keystore and encryption key pairing. The keystore type selection requires the appropriate encryption algorithm.

Configure PAS for OpenEdge to use an OAuth2 keystore

A keystore stores private key and identity certificates. PAS for OpenEdge keystore types include:
Table 1. OAuth2 supported keystore types
Types Description
jwk Validates the token using a JWK set of RSA public keys and/or Digital Certificates downloaded from the authorization server who issued the token.
jwkissuer Validates the token using a JWK set of RSA public keys and/or Digital Certificates downloaded from the authorization server who issued the token. Provides more user information than a jwk keystore.
pkcs12 Validates the token using a Java encrypted keystore for AES Secret key and JWK RSA and EC private/certificate pair keys built using Java keytool.
mac Validates the token using a Java encrypted keystore for AES Secret key and JWK RSA and EC private/certificate pair keys built using Java keytool.
pem Validates the toke using a local file system directory path that contains individual .pem files that hold RSA public/private encryption keys. The name of .pem file (minus the .pem extension) is the alias name used to identify which one to use.

Configure a jwk keystore

A JWK set is a JSON structure that holds one or more individual JWK JSON objects. Each JWK object contains a single RSA public key and can be identified by an alias. When a JWT is received and its header contains a kid claim, the kid value is used as the alias that is used to look up a JWK object. If a JWT's header does not contain a kid claim, or a JWK cannot be resolved by alias, the request is rejected.

jwtToken.keystore.type=jwk
jwtToken.jwkurl=URL of where JWK RSA public keys will be loaded from

Configure a jwkissuer keystore

The jwkissuer type requires that the jwkissuerUrl points to a JWK set provider configuration. The configuration specifies a set of RSA public keys and/or Digital Certificates downloaded from the authorization server who issue the JWT. This type is provides more user information than a standard jwk type.

jwtToken.keystore.type=jwkissuer
jwtToken.keystore.jwkIssuerUrl=URL of a JWK (JSON Web Key) authorization server's configuration.
Note: Queries three different discovery endpoints serially, using the values in the first successful response to initialize. For more details see the oeablSecurity.properties.README

A JWT's data integrity signature supports multiple types of algorithms. JWT support in PAS for OpenEdge includes HMAC and RSA (public and private) algorithms, as specified in the JSON Web Signature (JWS) standard.

Configure a mac type keystore

Set the following properties in the oeablSecurity.properties file:

jwtToken.keystore.type=mac
jwtToken.keystore=path-to-keystore
Note: The keystore is maintained by using the Java keytool utility. See Oracle documentation for more information.
jwtToken.keystore.pwd=value
value
A string value, either clear text or encoded text. Encoded text is the output of oe-install-dir/bin/stspwdutil
jwtToken.keystore.alias=sample
sample

The name of the keystore entry’s alias used when you store the JWT RSA signature’s public-key certificate that you obtained from the authorization server’s operators.

Configure a PEM keystore

All files holding PEM-encoded RSA public keys must be in the form file-name.pem. You must configure the file system directory path (which acts as a keystore) and the alias for finding the PEM file within the file system directory:

jwtToken.keystore.type=pem
jwtToken.keystore=<file-system-path to PEM files>
jwtToken.keystore.alias=<PEM file-name>
Note:
  • The PEM-encoded file may optionally contain the RSA private key.
  • A sample PEM-encoded file can be found in a PAS for OpenEdge instance's conf/jwtkeys directory.
RSA public/private key pairs can be generated for testing by using the following two command lines:
oe-install-dir/bin/sslc genpkey x-out filename.prv.pem -outform PEM -algorithm RSApkeyopt rsa_keygein_bits:key-bit-size

oe-install-dir/bin/sslc rsa -pubout -in filename.prv.pem -out filename.pub.pem