The SSO access token in PAS for OpenEdge is a Base64-encoded and sealed CLIENT-PRINCIPAL. An optional Refresh token is a unique string value that is paired to one CLIENT-PRINCIPAL token.

A CLIENT-PRINCIPAL token minimally contains these fields:

  • User ID and OpenEdge domain
  • State SSO
  • Expiration
  • Roles (as granted by the Spring Security framework’s existing behavior)
  • Scope (which supplements Roles as a mechanism to further refine authorization rules. It limits clients with certain access tokens to certain web services, before Role URL authorization is tested.)