Configure JWT/OAuth2 Self-contained Access Token conversion to an OpenEdge Client-Principals

Similar to all Spring Security processes in PAS for OpenEdge, a successful authentication and authorization produces an OpenEdge client-principal object that is delivered to the ABL application code on each request.

The following table indicates the mapping of self-contained JWT fields to OpenEdge client-principal attributes:

JWT Field Client-Principal Attribute
sub ( by configuration ) User-id
exp LOGIN-EXPIRATION -TIMESTAMP
scope Roles
<misc> ( if configured ) Properties

Configure mapping the JWT's scope claim to Spring and client-principal roles

The JWT claim field is a comma separated list of values, where each value is mapped to a role name in the Spring and client-principal object tokens. Those mapped role values are used to authorize the client's access to specific URLs:

jwtToken.mapScopeToRole={ true | false }
A JWT has a recommended field name scope to hold the scope of the authenticated user. However, you can configure this field name, as shown below, using the authorization server that issues it:
jwtToken.scopeNameField={ scope }

If the configured field name for scope is not available in the JWT, then the JWT uses PSCUser as the default scope. You can set this default scope using the jwtToken.defaultRoles property in the oeablSecurity.properties file.

Refer to the JWT issuer’s documentation to determine the field name that contains the scope of the authenticated user and map its claim to the scope (role).

Configure JWT claims as client-principal property value

JWT tokens may contain any number of authorization server defined payload claims. If you want those claims made available to the ABL application using a client-principal object, then set the following option:

jwtToken.includeAllClaims={ true | false }

The creation and sealing of a client-principal object is handled by the OEClientPrincipalFilter and follows its usual configuration rules.