Configuring OAuth2 or JWT Token Validation Services
Setting the Token Services Validation Type
At the core of Spring Security’s OAuth2 support is the validation of an access token. The payload of the access token must minimally contain a set of claim fields. That minimal list is different depending on whether the token is an OAuth2 Access Token or a simple JWT.
To configure PAS for OpenEdge for the type of token payload validation obtained from the HTTP request's Authorization header, set the following property in openedge.properties:
oauth2.resSvc.tokenServices={ jwt | oauth2 }
jwt
jwt tokenServices looks for a JWT in the HTTP request’s HTTP Authorization header’s Bearer scheme value. If a JWT-type Bearer token is found its signature and required JWT payload claims ( aud & exp ) will be validated before it is passed along to the URL authorization process. Using JWT tokens has more risk as it exposes the token’s information to untrusted Clients, such as a browser in an internet client. This selection is most useful for cases where intranet Clients obtain a JWT from a non-compliant OAuth2 Authorization Server and use it to access a Resource Server without the need for full formal OAuth2 validity checking
oauth2
oauth2 tokenServices incorporates jwtT tokenServices and adds additional checking for required OAuth2 standard payload claims. This selection is most useful for cases where either internet or intranet Clients follow one of the four OAuth2 authorization flows to an Authorization Server.
Configuring OAuth2 Sessions
An OAuth2 Resource Server hosts a stateless REST API for its Clients. As a stateless REST API, it will not create user HTTP sessions, but does not preclude the REST API’s implementation from creating them. Spring Security provides a property to control the generation and use of HTTP sessions. The default is to follow the normal REST API stateless model.
This can be changed to have Spring Security use and maintain HTTP Sessions by setting the following property’s value in openedge.properties to false:
oauth2.resSvc.stateless={ true | false }
Configuring the WWW-Authenticate Realm Name
An OAuth2 Resource Server accepts Access Tokens via the HTTP Authorization header. If the Resource Server’s validation of the Access Token fails it will return a 401 status and a WWW-Authenticate HTTP header with a realm-challenge phrase. The response’s realm-challenge phrase can be customized by setting this property value in openedge.properties:
