Open Authorization 2.0 (OAuth2) is a standard for online authorization providing login access to third-party websites and applications without exposing user account credentials.

The user's perspective

In the simplest form, an OAuth2 client logs into an application and receives a token in return by supplying their credentials.

How PAS for OpenEdge uses the token

When an OAuth2 client requests a resource, a configured PAS for OpenEdge instance requires a valid access token before allowing the client to access the service. The PAS for OpenEdge instance validates with an authorization server. The exact validation process depends on the configuration of PAS for OpenEdge and the third-party authorization server.

To demonstrate the token exchange, this guide uses OESECTOOL as a test authorization server and then explores additional configurations available with third-party authorization servers.

How to configure PAS for OpenEdge to use OAuth2

To use OAuth2, OpenEdge security administrators must configure PAS for OpenEdge to act as a resource server. After you configure PAS for OpenEdge, it unlocks and validates OAuth2 tokens and then converts the tokens to CLIENT-PRINCIPAL objects. ABL developers use the CLIENT-PRINCIPAL object to authenticate and authorize access to ABL application resources.

The configuration of PAS for OpenEdge depends on the client and authorization server choices.
These choices determine the information required to unlock and validate the token containing the user account credentials. PAS for OpenEdge needs these details to unlock and validate the token before converting the token into a CLIENT-PRINCIPAL object.