Set the token services validation type

At the core of Spring Security’s OAuth2 support is the validation of an access token. The payload of the access token must minimally contain a set of claim fields. That minimal list varies depending upon whether the token is an OAuth2 access token or a simple JWT.

To configure PAS for OpenEdge for the type of token payload validation obtained from the HTTP request's authorization header, set the following property in oeablSecurity.properties:

oauth2.resSvc.tokenServices={ jwt | oauth2 }
jwt
jwt tokenServices looks for a jwt in the HTTP request’s HTTP authorization header’s bearer scheme value. If a JWT-type bearer token is found, then its signature, and required JWT payload claims (aud and exp), are validated before they are passed to the URL authorization process. Using JWT tokens has more risk because it exposes the token’s information to untrusted clients, such as a browser in an internet client. This selection is most useful for cases where intranet clients obtain a JWT from a non-compliant OAuth2 authorization server and use it to access a resource server without the need for full formal OAuth2 validity checking
oauth2
oauth2 tokenServices incorporates jwt tokenServices and adds additional checking for required OAuth2 standard payload claims. This selection is most useful for cases where either internet or intranet clients follow one of the four OAuth2 authorization flows to an authorization server.
Note: The token services validation set in the oauth2.resSvc.tokenServices property is overridden if the oauth2.opaqueToken.instrospectionURI is set to collect identity token details from an authorization server that supports OpenID Connect (OIDC).

Configure OAuth2 sessions

An OAuth2 resource server hosts a stateless REST API for its clients. As a stateless REST API, it does not create user HTTP sessions, but does not preclude the REST API’s implementation from creating them. Spring Security provides a property to control the generation and use of HTTP sessions. The default is to follow the normal REST API stateless model.

This can be changed to have Spring Security use and maintain HTTP sessions by setting the following property’s value in oeablSecurity.properties to false:

oauth2.resSvc.stateless={ true | false  }

Configure the WWW-Authenticate realm name

An OAuth2 resource server accepts access tokens using the HTTP authorization header. If the resource server’s validation of the access token fails, then it will return a 401 status and a WWW-Authenticate HTTP header with a realm-challenge phrase. The response’s realm-challenge phrase can be customized by setting the following property value in oeablSecurity.properties:

oauth2.resSvc.realmName=oeoauth