The OpenEdge Authentication Gateway centralizes OpenEdge domain access model to manage user access to applications and data. Instead of configuring each instance, you can configure one or more PAS for OpenEdge instances to delegate token validation to the OpenEdge Authentication Gateway. When configured to use OAuth2, the OpenEdge Authentication Gateway validates and exchanges OAuth2 tokens for ABL client-principal objects. Centralizing the OpenEdge domain access model allows Security Administrators to use existing OAuth2 authorization servers, while ABL Developers can seamlessly use OpenEdge client-principal objects for controlling application and database access.

The user's perspective

In the simplest form, an OAuth2 client logs into an application and receives a token in return by supplying their credentials.

How PAS for OpenEdge delegates authentication to the OpenEdge Authentication Gateway

When an OAuth2 client requests a resource, a configured PAS for OpenEdge instance requires a valid access token before allowing the client to access the service. The PAS for OpenEdge instance delegates the validation of the token to the OpenEdge Authentication Gateway. The exact validation process depends on the OpenEdge Authentication Gateway configuration.

OpenEdge Authentication Gateway validates and exchanges the bearer token for a client-principal on behalf of the configured PAS for OpenEdge instances, centralizing the OpenEdge domain access. The steps include:
  1. An OAuth2 client passes the token to a PAS for OpenEdge instance, when requesting access to a resource.
  2. The PAS for OpenEdge instance delegates the validation of the token to the OpenEdge Authentication Gateway.
  3. The OpenEdge Authentication Gateway validates the token.
  4. If the token is valid, the OpenEdge Authentication Gateway returns a client-principal containing the user information from the token.
This guide demonstrates the steps for securing access to an application through configuration of each of the following components:

A separate tutorial is available for securing direct access to a database server. For more information on securing a database server, see Enable the database to use the OpenEdge Authentication Gateway.