The HTTP FORM authentication model provides user session support when the client uses application defined URL resources for login/logout operations. The client supplies the user’s identification assertions (such as user-id/password) in a POST request’s body and receives session information in the POST response’s headers. For each subsequent HTTP request, the session information received as part of the login operation is passed as HTTP header information.

Applying SSO to this authentication model involves obtaining the native OpenEdge SSO token created and stored as part of the user login process, and passing that SSO token to other web applications that are configured to accept it.

Client request

POST web-app-url/static/auth/j_spring_security_check?OECP=yes
Content-Type: application/x-www-form-urlencoded
j_username=userid&j_password=pwd

Server response

Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
set-cookie : JSESSIONID=user-session-reference

{ “token_type” : “oecp”,
 “access_token” : “b64-oecp-sso-token”,
 “refresh_token” : “oecp-ref-token”,
 “expires_in” : int-seconds
}
Note: refresh_token may be blank, indicating that the access_token may not be refreshed.

HTTP Status Codes

  • 200 indicates successful server response.

  • 400 indicates an SSO token generation failure 

    Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache

“error_description” : “error-desc
}

 token-error-code
    Note: For more information on token-error-code, see SSO Token Error Codes.

  • 401 indicates user authentication failure for data services

    WWW-Authenticate : http-form realm info

  • 500 indicates an internal server failure.