HTTP FORM Authentication Model

New Information

Progress Application Server for OpenEdge : Extending OpenEdge SSO to Web Applications : Programmer’s Guide to SSO Token Handling : HTTP FORM Authentication Model

The HTTP FORM authentication model provides user session support when the client uses application defined URL resources for login/logout operations. The client supplies the user’s identification assertions (such as user-id/password) in a POST request’s body and receives session information in the POST response’s headers. For each subsequent HTTP request, the session information received as part of the login operation is passed as HTTP header information.

Applying SSO to this authentication model involves obtaining the native OpenEdge SSO token created and stored as part of the user login process, and passing that SSO token to other web applications that are configured to accept it.

Client request

POST web-app-url/static/auth/j_spring_security_check?OECP=yes
Content-Type: application/x-www-form-urlencoded
j_username=userid&j_password=pwd

Server response

Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
set-cookie : JSESSIONID=user-session-reference

{ “token_type” : “oecp”,
“access_token” : “b64-oecp-sso-token”,
“refresh_token” : “oecp-ref-token”,
“expires_in” : int-seconds
}

Note: refresh_token may be blank, indicating that the access_token may not be refreshed.

HTTP Status Codes

200 indicates successful server response.

400 indicates an SSO token generation failure

Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache

“error_description” : “error-desc
}

token-error-code

Note: For more information on token-error-code, see SSO Token Error Codes.

401 indicates user authentication failure for data services

WWW-Authenticate : http-form realm info

500 indicates an internal server failure.