Configuring JWT/OAuth2 Self-contained Access Token conversion to an OpenEdge Client-Principals
Like all Spring Security processes in PAS for OpenEdge, a successful authentication and authorization produces an OpenEdge Client-Principal that is delivered to the ABL application code on each request. The following table indicates the mapping of Self-contained JWT fields to OpenEdge Client-Principal attributes:
JWT Field
Client-Principal Attribute
sub ( by configuration )
User-id
exp
expires
scope
Roles
<misc> ( if configured )
Properties
Configure mapping the JWT's scope claim to Spring and Client-Principal Roles
The JWT claim field is a comma separated list of values, where each value is mapped to a role name in the Spring and Client-Princpal tokens. Those mapped Role values are used to authorize the client's access to specific URLs:
jwtToken.mapScopeToRole={ true | false }
Configure JWT claims as Client-Principal property value
JWT tokens may contain any number of Authorization Server defined payload claims. If you want those claims made available to the ABL application via a Client-Principal, set this option:
jwtToken.includeAllClaims={ true | false }
The creation and sealing of a Client-Principal is handled by the OEClientPrincipalFilter and follows its usual configuration rules.
