Generate an access and ID token pair
- Last Updated: February 11, 2026
- 3 minute read
- OpenEdge
- Version 13.0
- Documentation
Description
Generates a base64-encoded JSON string containing an OAuth2 access token and ID token. Both tokens are stored in the server cache for introspection requests. The System Administrator must configure PAS for OpenEdge and OpenEdge Authentication Gateway to supply the required claims.
- For more information on PAS for OpenEdge security configurations, see $DLC/servers/pasoe/conf/oeablSecurity.properties.README.
- For more information on OpenEdge Authentication Gateway security configurations, see ../conf/oeablSecurity.properties.README file.
OESECTOOL does not support generating opaque access tokens. Use a non-opaque token to
test remote validation configurations. The ID token uses the properties with the
id.token prefix to configure the identity token claims.
Configure the OAuth2 server properties
Edit the oesectool-oauth2.properties file to work with the PAS for OpenEdge or OpenEdge Authentication gateway configurations as follows:
- Set the user ID for the users.
sectool.user.ids=user1,user2 - Set the properties for the users.
user1.sub="yshre@progress.com" user1.preferred_username="yshre@progress.com" user1.given_name="York" user1.family_name="Shrek" user1.name="York Shrek" user1.email="yshre@progress.com" user1.locale="US" user1.id="00u2k1xc0fHUEeghc5d7" user1.zoneinfo="America/Los_Angeles" user1.scope="PSCUser" user2.sub="kludil@progress.com" user2.preferred_username="kludil@progress.com" user2.given_name="Kunel" user2.family_name="Ludilschik" user2.name="Kunel Ludilschik" user2.email="kludil@progress.com" user2.locale="US" user2.id="00u2k1xc0fHUEeghclmc" user2.zoneinfo="America/Los_Angeles" user2.scope="PSCUser" - Set the claims.
- Set the access token claims with
access.token.prefix foruser1, including:#access.token. access.token.ver=1 access.token.jti="${general.access_token_jti}" access.token.iss="${general.iss}" access.token.aud="${general.aud}" access.token.sub="${${sectool.user.id}.sub}" access.token.iat=now access.token.exp=now+1h access.token.cid="${general.cid}" access.token.uid="${${sectool.user.id}.id}" access.token.scope="${${sectool.user.id}.scope}" access.token.scp=["openid","email","profile"] access.token.token_use="access"Note: Values${${sectool.user.id}.sub}and${${sectool.user.id}.id}are thesubandidproperties for a user. For example:
Time properties are:user1.sub="kyork@progress.com" user1.id="00u2k1xc0fHUEeghc5d7"
where:now[+|-{y|M|d|h|m|s}{integer}]- now—current time
- y —year
- M —month
- d —day
- m—minute
- s—second
- Set the ID token claims with
access.token.prefix for user1, including:#id.token. id.token.ver=1 id.token.jti="${general.id_token_jti}" id.token.iss="${general.iss}" id.token.aud="${general.aud}" id.token.sub="${${sectool.user.id}.sub}" id.token.name="${${sectool.user.id}.name}" id.token.email="${${sectool.user.id}.email}" id.token.iat=now id.token.exp=now+1h id.token.amr=${general.amr} id.token.idp="${general.idp}" id.token.preferred_username="${${sectool.user.id}.preferred_username}" id.token.auth_time=now id.token.at_hash=0
Note: Users may add or remove claims. - Set the access token claims with
- Signed the prepared access token must be signed using the security key defined in one of
the following ways:
- By using a client
oesectoolshared secret. - By using a private key from a PAS for OpenEdge keystore.
- Shared secret is defined by the
token.key.secretproperty. PAS for OpenEdge oeablSecurity.properties has thejwtToken.macKeyproperty, which has the same value. This value is encrypted. - Comment out
token.key.secretbecause there are a number of ways to obtain a public key to validate signature, including:- Request the public keys from the oauth2server.
- Request the configuration properties from the
oauth2server—Extract the URL to get public keys. Get
jwks_urito call oauth2server, to get public keys and the verified PEM file with a public key or certificate. - Use a PEM file with a public key or certificate.
- Shared secret is defined by the
- Optional. To the JWE tokens, provide the following properties that match
PAS for OpenEdge and the subset available for OpenEdge Authentication
Gateway
properties:
token.key.encalias - a key alias from PASOE keystore. Example: defaultkey token.key.encalg - algorithm to use. Example: RSA-OAEP-256 token.key.encmethod - encryption method. Example: A256CBC-HS512Note: The OpenEdge Advanced Security add-on is required to use JWE tokens.
- By using a client
HTTP Operation
GET
URL
|
Command-line example
|
Response
|
Note: The response has been formatted to fit the
page and to separate the tokens.
The result has two tokens: - Access token:
access_token: Header: { "alg": "RS256"} Payload: { "aud": "oeablapp", "sub": "yshre@progress.com", "uid": "00u2k1xc0fHUEeghc5d7", "scp": [ "openid", "email", "profile" ], "ver": 1, "token_use": "access", "scope": "PSCUser", "iss": "https://localhost:9999", "exp": 1689713308, "iat": 1689709708, "jti": "AT.7YHGAaohrCAagun6NSIZIOS6SEVYTrUFc5g6FHHvT4g", "cid": "oeablClient" } - ID token:
Header: {"alg": "RS256"} Payload: { "at_hash": "Ov9CjttsuvE/2f4wfI/v8Q==", "sub": "yshre@progress.com", "ver": 1, "amr": [ "pwd" ], "iss": "https://localhost:9999", "preferred_username": "yshre@progress.com", "aud": "oeablapp", "idp": "00o2k1xbuvCzbxq815d7", "auth_time": 1689709708, "name": "York Shrek", "exp": 1689713308, "iat": 1689709708, "jti": "ID.T4qn53PbvCCUJy7xqOcWmPIEjf-HyWZ9QQP1DbWj_bo", "email": "yshre@progress.com" }