OpenEdge oAuth2 in 11.7.2?

Posted by carl.williams on 25-Aug-2017 10:21

I believe the plan is to support oauth2 in 11.7.2? Does anyone have any details on this? We are interested from the point of view of REST security.

Thanks.

OpenEdge Development - Forum
Posted by Michael Jacobs on 30-Aug-2017 06:52

Hello Carl,

What we can tell you about OAuth2 in 11.7.2 is that support is being worked on for PAS for OE's Spring Security.  Spring Security will act as a Resource Server that validates the inbound OAuth2 token, and if it can be validated and user information recovered a Client-Principal will be created and delivered to the ABL business application.   The OAuth2 Resource Server support will initially cover the REST, WEB, and static-file transports.   At this time no OAuth2 support is being planned for the classic REST Adapter and AppServer.

You are free to ask additional questions, but I will only release what we know and have unit tested.

 I hope that helps,

Mike Jacobs

All Replies

Posted by Michael Jacobs on 30-Aug-2017 06:52

Hello Carl,

What we can tell you about OAuth2 in 11.7.2 is that support is being worked on for PAS for OE's Spring Security.  Spring Security will act as a Resource Server that validates the inbound OAuth2 token, and if it can be validated and user information recovered a Client-Principal will be created and delivered to the ABL business application.   The OAuth2 Resource Server support will initially cover the REST, WEB, and static-file transports.   At this time no OAuth2 support is being planned for the classic REST Adapter and AppServer.

You are free to ask additional questions, but I will only release what we know and have unit tested.

 I hope that helps,

Mike Jacobs

Posted by carl.williams on 30-Aug-2017 07:02

Many thanks for update we were looking at using the WEB transports. Just to clarify will the oAuth2 also generate the token?

Posted by Michael Jacobs on 30-Aug-2017 07:38

The OAuth2 Spring support will generate a Client-Principal and deliver it to the ABL application via the session:current-request-info attribute - like it does for all of the other Spring supported authentication.   Spring will pick up the JWT's user-id and expiration and use those in the Client-Principal.   You will have options to add static Role names from the configuration, map the OAuth2 token's granted 'scope' as Roles, or there is a specific JWT field name that it will look for and use for Role names.   Using the JWT's session-id ( or its equivalent ) and map it to the Client-Principal session-id I'll be taking a look at.

Mike J.

Posted by Mike Fechner on 30-Aug-2017 07:44

Sounds great!
 
Will 11.7.2 also include documentation about complete configuration samples for authencation via LinkedIn, Twitter and Facebook? That would be really useful!
 

Posted by carl.williams on 30-Aug-2017 07:45

Thanks

Posted by Michael Jacobs on 30-Aug-2017 08:52

Hi Mike,

We have been trying out some of the names on that list.   I don't think we had considered adding any information like you suggest to any of the OpenEdge documentation.  But it does sound like a good idea.  I'll take this and see what might be possible to be helpful without getting anyone into trouble.

Thank you for the suggestion.

Mike J.

Posted by Mike Fechner on 30-Aug-2017 09:10

Many thanks, Mike!

Sent from Nine
Von: Michael Jacobs <bounce-mjacobs@community.progress.com>
Gesendet: 30.08.2017 3:53 nachm.
An: TU.OE.Development@community.progress.com
Betreff: RE: [Technical Users - OE Development] OpenEdge oAuth2 in 11.7.2?

Update from Progress Community
Michael Jacobs

Hi Mike,

We have been trying out some of the names on that list.   I don't think we had considered adding any information like you suggest to any of the OpenEdge documentation.  But it does sound like a good idea.  I'll take this and see what might be possible to be helpful without getting anyone into trouble.

Thank you for the suggestion.

Mike J.

View online
 

You received this notification because you subscribed to the forum.  To unsubscribe from only this thread, go here.

Flag this post as spam/abuse.

This thread is closed