Description

Generates a base64-encoded JSON string containing an OAuth2 access token and adds the token to the cache for validation requests. System Administrators must supply a set of properties in claims of the access token, and then configure PAS for OpenEdge and OpenEdge Authentication Gateway to supply the required claims.

  • For more information on PAS for OpenEdge security configurations, see $DLC/servers/pasoe/conf/oeablSecurity.properties.README.
  • For more information on OpenEdge Authentication Gateway security configurations, see ../conf/oeablSecurity.properties.README file.

OESECTOOL does not support generating opaque tokens. For remote validation tests, use a non-opaque token. For more information about using web tokens, see Authenticate using OAuth2 and JWT.

Configure the OAuth2 server properties

Edit the oesectool-oauth2.properties file to work with the PAS for OpenEdge or OpenEdge Authentication gateway configurations, as follows:
  1. Set the users IDs for the users.
    sectool.user.ids=user1,user2
  2. Set the properties for the users. 
    user1.sub="yshre@progress.com"
user1.preferred_username="yshre@progress.com"
user1.given_name="York"
user1.family_name="Shrek"
user1.name="York Shrek"
user1.email="yshre@progress.com"
user1.locale="US"
user1.id="00u2k1xc0fHUEeghc5d7"
user1.zoneinfo="America/Los_Angeles"
user1.scope="PSCUser"

user2.sub="kludil@progress.com"
user2.preferred_username="kludil@progress.com"
user2.given_name="Kunel"
user2.family_name="Ludilschik"
user2.name="Kunel Ludilschik"
user2.email="kludil@progress.com"
user2.locale="US"
user2.id="00u2k1xc0fHUEeghclmc"
user2.zoneinfo="America/Los_Angeles"
user2.scope="PSCUser"
  3. Set the claims. The claims begin with access.token. prefix. The claims for user1 include: 
    #access.token.
access.token.ver=1
access.token.jti="${general.access_token_jti}"
access.token.iss="${general.iss}"
access.token.aud="${general.aud}"
access.token.sub="${${sectool.user.id}.sub}"
access.token.iat=now
access.token.exp=now+1h
access.token.cid="${general.cid}"
access.token.uid="${${sectool.user.id}.id}"
access.token.scope="${${sectool.user.id}.scope}"
access.token.scp=["openid","email","profile"]
access.token.token_use="access"
    Note: Values ${${sectool.user.id}.sub} and ${${sectool.user.id}.id} are the sub and id properties for a user. For example:
    user1.sub="kyork@progress.com"
user1.id="00u2k1xc0fHUEeghc5d7"
    Time properties are:
     now[+|-{y|M|d|h|m|s}{integer}]
    where:
    • now—current time
    • y —year
    • M —month
    • d —day
    • m—minute
    • s—second
  4. Sign the access token using the security key defined in one of the following ways:
    1. By using a client oesectool shared secret.
    2. By using a private key from a PAS for OpenEdge keystore.
      1. The shared secret is defined by the token.key.secret property. PAS for OpenEdge oeablSecurity.properties has the jwtToken.macKey property, which has the same value. This value is encrypted.
      2. Comment out token.key.secret because there are a number of ways to obtain a public key to validate signature, including:
        • Request the public keys from the oauth2server.
        • Request the configuration properties from the oauth2server—Extract the URL to get public keys. Get jwks_uri to call oauth2server, to get public keys and the verified PEM file with a public key or certificate.
        • Use a PEM file with a public key or certificate.
      3. Optional. To the JWE tokens, provide the following properties that match PAS for OpenEdge and the subset available for OpenEdge Authentication Gateway properties:
        token.key.encalias - a key alias from PASOE keystore. Example: defaultkey
token.key.encalg - algorithm to use. Example: RSA-OAEP-256
token.key.encmethod - encryption method. Example: A256CBC-HS512
      Note: The OpenEdge Advanced Security add-on is required to use JWE tokens.

HTTP Operation

GET

URL

http[s]://hostname:port/jwt/username

Example

With the server started, use a browser to generate an access token. 
http://localhost:8888/jwt/user1

Result

The encoded JWS access token is: 
eyJhbGciOiJSUzI1NiJ9.eyJhdWQiOiJvZWFibGFwcCIsInN1YiI6InlzaHJlQHByb2dyZXNzLmNvbSIsIn
VpZCI6IjAwdTJrMXhjMGZIVUVlZ2hjNWQ3Iiwic2NwIjpbIm9wZW5pZCIsImVtYWlsIiwicHJvZmlsZSJdL
CJ2ZXIiOjEsInRva2VuX3VzZSI6ImFjY2VzcyIsInNjb3BlIjoiUFNDVXNlciIsImlzcyI6Imh0dHBzOlwv
XC9sb2NhbGhvc3Q6OTk5OSIsImV4cCI6MTY4OTk1NTE2MywiaWF0IjoxNjg5OTUxNTYzLCJqdGkiOiJBVC4
3WUhHQWFvaHJDQWFndW42TlNJWklPUzZTRVZZVHJVRmM1ZzZGSEh2VDRnIiwiY2lkIjoib2VhYmxDbGllbn
QifQ.MgiLvQUAAOwAxd9k0UxGCxL714asfvg9dSPNkk60DK82aN4ZaaI1-jQXVSBD1vCyKra5LLF59w6WYz
x7BhB5VfVPBaztGdiBuEek8M-7AUz0kLQRhSFVgff3v8pdhXmlkyiCS_fu8wOQLH0otlLGSyKzTq5WQQW9i
mCXU9nWS4PkcAPiadinxZYAbJ8hZt8GCEcvxQewylpvuOi9EGyOqudmBiY4AqvUFJh1HN_HA1YzXIffon6u
UF9oV7HOL6Nv3C2blanocHce-I0xS7JWHDEm4GmEdNP3U4k-IQ9q8osNgaxVhuQHTgrKFjfTTfp3T5y3Pls
lLnBao39VjTL5UQ
Note: The token was formatted to fit the page.
The decoded token is:
Header: 
{
  "alg": "RS256"
}
Payload:
{
  "aud": "oeablapp",
  "sub": "yshre@progress.com",
  "uid": "00u2k1xc0fHUEeghc5d7",
  "scp": [
    "openid",
    "email",
    "profile"
  ],
  "ver": 1,
  "token_use": "access",
  "scope": "PSCUser",
  "iss": "https://localhost:9999",
  "exp": 1689713021,
  "iat": 1689709421,
  "jti": "AT.7YHGAaohrCAagun6NSIZIOS6SEVYTrUFc5g6FHHvT4g",
  "cid": "oeablClient"
}
The payload represents the set of claims.
Note: JWE tokens add an extra layer of security by encrypting the token so that it cannot be read without the additional step of decrypting the token.