Try OpenEdge Now
skip to main content
New Information
Progress Application Server for OpenEdge : Extending OpenEdge SSO to Web Applications : PAS for OpenEdge SSO Configuration Guide : Configuring Refresh of OpenEdge Native SSO Tokens
 
Configuring Refresh of OpenEdge Native SSO Tokens
Mitigating client-side security holes, poor client application code security, and man-in-the-middle attacks is. Essential to the security of SSO tokens handled by clients is limiting the window of time they can be used. Using small windows of time requires the ability to transparently refresh a SSO token with a new expiration time. The fresh of a SSO token requires that only the authenticated user has the knowledge it shared with the SSO token issuer, which ensures that the SSO token issuer to validate that only the authenticated user can obtain a refreshed SSO token.
The OE SSO token refresh provides a client with the ability to refresh an expired OpenEdge Native SSO token. The implementation intercepts a web application relative-URI, validates the client’s refresh token, and if successful re-issues a new OpenEdge Native SSO token with a given lifetime.

OE SSO Token Refresh Properties

Property Name
Data Type
Default
Value Range
Description
OESSO.require.https
boolean
true
true | false
When truefalse allows HTTP (not recommended for operating a secure web application )
This property is used to set the property OESSORefreshFilter.refreshSecure
OESSO.error.detail
integer
1
0 (none)
1 (terse)
2 (debug)
Controls the amount of error detail returned to a client for all SSO operations. The default (0) meets security best practices in returning little of value a hacker can make use of. But it does not supply an administrator or end-user with useful information for problem solving. Higher levels provide more information to administrators for problem resolution, but can also provide information usable by a hacker to attack your application., sets the requirement for all SSO operations to require a client request to be made by using the HTTPS URL scheme. Set to
This property is used to set the property OESSORefreshFilter.refreshErrorDetail
OESSORefreshFilter.refreshURL
string
/static/auth/token
viable relative URI
Sets the relative URI a client will use to execute a refresh operation for an expired OE SSO token. The property's value may not be blank or in any of the following URI spaces:
*/apsv
*/soap
*/rest
*/web
OESSORefreshFilter.refreshURLOption
string
refresh
{ refresh }
The URL query option name that contains the type of token operation requested by the client.
For example: https://myauthservice/statis/auth/token?refresh
OESSORefreshFilter.ssoRefreshClientType
string
*
(every client type)
Java RegEx pattern
Adds the ability to require the HTTP request's User-Agent: header to contain a specific value as defined by a Java RegEx pattern. The default "*" value disables User-Agent: header checking
OESSOTokenManager.ssoRefreshDeltaTime
integer
3600
(1 hour)
1 n seconds
Controls the amount of time, in seconds, that a refreshed OE SSO token will remain valid before it expires and must be refreshed again.
OESSORefreshFilter.refreshErrorDetail
integer
0
0-3
Controls the amount of error detail returned to a client during the OE SSO token refresh process.
This property is normally set using the OESSO.error.detail property to keep error detail information level consistent across different SSO process operations. The property's value may be explicitly set if the OE SSO token refresh errors should return a different amount of error information than other SSO
operations.
OESSORefreshFilter.refreshSecure
boolean
true
true|false
Used to control the requirement for HTTPS requests from the client while refreshing an OE SSO token.
This property is normally set using the OESSO.require.https property to keep the requirements for using HTTPS consistent across the different SSO process operations.This property may be explicitly set independently if the requirement for HTTPS is different from other SSO operations.