The SSO access token in PAS for OpenEdge is a base64-encoded and sealed Client-Principal. An optional Refresh token is a unique string value that is paired to one, and only one, Client-Principal token.
A Client-Principal token minimally contains these fields:
User-id and OpenEdge domain
State SSO
Expiration
Roles (as granted by the Spring Security framework’s existing behavior)
Scope (which supplements Roles as a mechanism to further refine authorization rules. It limits clients with certain access tokens to certain web services, before Role URL authorization is tested.)
User-id and OpenEdge domain