M
mroberts@rev.com.au
Guest
I'm going to wake this thread up 
OE11.7.4 Windows 64 bit I am also using the oAuth 2.0 Samples, and trying to get the JWT tokens to work. I have a need to open up part of our app through oAuth, and using JWT and oAuth built-in config seemed like a good place to try I am however getting a Client Principal error. (Procedure: 'IdmActivate.p' Line:60) client-principal validation failed in Session because - The client-principal was corrupt (16385) [19/03/05@15:37:49.536+1100] P-020756 T-014156 1 AS-4 LogMgrWrtr [IdmActivate ERROR] Client-Principal cannot be validated I believe I have followed the instructions as advertised 1) I create the JWT token as requested 2) it seems to pass through spring security OK, when i deliberately mange the token and the values within, it rejects i because of expiration date/missing scop etc 3) Token makes it into Activate procedure 4) At the time it tries to set-client, it fails lok = SECURITY-POLICY:SET-CLIENT(hCP). with client-principal validation failed in Session because - The client-principal was corrupt (16385) I've printed the contents I can see if the client principal object in activate, and it seems to see all the values correctly [19/03/05@16:32:41.524+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:37) MTR3 AUDIT-EVENT-CONTEXT [19/03/05@16:32:41.524+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:38) MTR3 CLIENT-TTY [19/03/05@16:32:41.524+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:39) MTR3 CLIENT-WORKSTATION [19/03/05@16:32:41.524+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:40) MTR3 DB-LIST ? [19/03/05@16:32:41.524+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:41) MTR3 DOMAIN-DESCRIPTION OE application: [19/03/05@16:32:41.524+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:42) MTR3 DOMAIN-NAME JWTdomain [19/03/05@16:32:41.524+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:43) MTR3 DOMAIN-TYPE OEApplication [19/03/05@16:32:41.524+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:44) MTR3 HANDLE 1082 [19/03/05@16:32:41.524+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:45) MTR3 INSTANTIATING-PROCEDURE 1061 [19/03/05@16:32:41.524+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:46) MTR3 LOGIN-EXPIRATION-TIMESTAMP 06/03/2019 04:25:14.000+11:00 [19/03/05@16:32:41.524+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:47) MTR3 LOGIN-HOST [19/03/05@16:32:41.524+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:48) MTR3 LOGIN-STATE SSO [19/03/05@16:32:41.526+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:50) MTR3 QUALIFIED-USER-ID 7965bba4-b65d-4212-adc7-6bd27eff180e@JWTdomain [19/03/05@16:32:41.526+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:51) MTR3 ROLES scope.PSCUser [19/03/05@16:32:41.526+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:52) MTR3 SEAL-TIMESTAMP 05/03/2019 16:32:41.000+11:00 [19/03/05@16:32:41.526+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:53) MTR3 SESSION-ID 0 [19/03/05@16:32:41.526+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:54) MTR3 STATE-DETAIL The CLIENT-PRINCIPAL object credentials were validated by an external system [19/03/05@16:32:41.526+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:55) MTR3 TYPE CLIENT-PRINCIPAL [19/03/05@16:32:41.526+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:56) MTR3 USER-ID 7965bba4-b65d-4212-adc7-6bd27eff180e [19/03/05@16:32:41.526+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:58) MTR3 property-names aud,token_use,iss,token_type,jti,email,client_id,username [19/03/05@16:32:41.526+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:65) MTR3 values pasoe.openedge.progress-users.com,access, nodejsJWT,bearer,random,isyed@progress.com,123456789,isyed [19/03/05@16:32:41.526+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:67) client-principal validation failed in Session because - The client-principal was corrupt (16385) How can I debug the corrupt messag above and see what is causing the corruption? NOTE: I have added DEBUG logging in PAS for the ClientPrincipal, and got the following 16:32:41.274/26544 [thd-1] DEBUG c.p.a.s.s.OEClientPrincipalFilter - OEClientPrincipleFilter processing token of type: 'org.springframework.security.oauth2.provider.OAuth2Authentication 16:32:41.281/26551 [thd-1] DEBUG c.p.a.s.s.OEClientPrincipalFilter - Substituting OEAuthenticationToken for authenticated token: 'org.springframework.security.oauth2.provider.OAuth2Authentication@8ccb3c1a: Principal: 7965bba4-b65d-4212-adc7-6bd27eff180e; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=0:0:0:0:0:0:0:1, tokenType=bearertokenValue= ; Granted Authorities: scope.PSCUser' 16:32:41.285/26555 [thd-1] DEBUG c.p.a.s.s.OEClientPrincipalFilter - Creating Domain Registry: 'com.progress.auth.OEDefaultRegistry' 16:32:41.295/26565 [thd-1] DEBUG c.p.a.s.s.OEClientPrincipalFilter - Loading Domain Registry: 'com.progress.auth.OEDefaultRegistry' 16:32:41.335/26605 [thd-1] DEBUG c.p.a.s.s.OEClientPrincipalFilter - Converting Spring token to OEAuthenticationToken: 'org.springframework.security.oauth2.provider.OAuth2Authentication@8ccb3c1a: Principal: 7965bba4-b65d-4212-adc7-6bd27eff180e; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=0:0:0:0:0:0:0:1, tokenType=bearertokenValue= ; Granted Authorities: scope.PSCUser' 16:32:41.352/26622 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - replaceToken: using non-qualified userName 7965bba4-b65d-4212-adc7-6bd27eff180e 16:32:41.353/26623 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - replaceToken: applying property derived domain: JWTdomain 16:32:41.353/26623 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Set session-id with JTI claim: 0 16:32:41.356/26626 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Set expiration with UTC EXP claim: java.util.GregorianCalendar[time=1551806714000,areFieldsSet=true,areAllFieldsSet=true,lenient=true,zone=sun.util.calendar.ZoneInfo[id="Australia/Sydney",offset=36000000,dstSavings=3600000,useDaylight=true,transitions=142,lastRule=java.util.SimpleTimeZone[id=Australia/Sydney,offset=36000000,dstSavings=3600000,useDaylight=true,startYear=0,startMode=3,startMonth=9,startDay=1,startDayOfWeek=1,startTime=7200000,startTimeMode=1,endMode=3,endMonth=3,endDay=1,endDayOfWeek=1,endTime=7200000,endTimeMode=1]],firstDayOfWeek=1,minimalDaysInFirstWeek=1,ERA=1,YEAR=2019,MONTH=2,WEEK_OF_YEAR=10,WEEK_OF_MONTH=2,DAY_OF_MONTH=6,DAY_OF_YEAR=65,DAY_OF_WEEK=4,DAY_OF_WEEK_IN_MONTH=1,AM_PM=0,HOUR=4,HOUR_OF_DAY=4,MINUTE=25,SECOND=14,MILLISECOND=0,ZONE_OFFSET=36000000,DST_OFFSET=3600000] 16:32:41.356/26626 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Generating ClientPrincipal token: 7965bba4-b65d-4212-adc7-6bd27eff180e@JWTdomain ; 0 16:32:41.358/26628 [thd-1] WARN c.p.a.s.s.OEAuthenticationTokenConverter - Could not map JWT claim iat of an unknown data type 16:32:41.358/26628 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Inserting ClientPrincipal static properties... 16:32:41.358/26628 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Inserting ClientPrincipal property aud with value: pasoe.openedge.progress-users.com 16:32:41.359/26629 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Inserting ClientPrincipal property token_use with value: access 16:32:41.359/26629 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Inserting ClientPrincipal property iss with value: https://nodejsJWT 16:32:41.359/26629 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Inserting ClientPrincipal property token_type with value: bearer 16:32:41.360/26630 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Found null value for property iat 16:32:41.360/26630 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Inserting ClientPrincipal property jti with value: random 16:32:41.360/26630 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Inserting ClientPrincipal property email with value: isyed@progress.com 16:32:41.360/26630 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Inserting ClientPrincipal property client_id with value: 123456789 16:32:41.360/26630 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Inserting ClientPrincipal property username with value: isyed 16:32:41.363/26633 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Inserting ClientPrincipal static properties... 16:32:41.363/26633 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Loading Spring authorities ... 16:32:41.364/26634 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Loading Spring authority : scope.PSCUser 16:32:41.365/26635 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Inserting ClientPrincipal roles: scope.PSCUser 16:32:41.366/26636 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Sealing ClientPrincipal token (K) 16:32:41.369/26639 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Cloning Spring token with ClientPrincipal 16:32:41.370/26640 [thd-1] DEBUG c.p.a.s.s.OEClientPrincipalFilter - Replaced SecurityContextHolder with OEAuthenticationToken: from 'org.springframework.security.oauth2.provider.OAuth2Authentication@8ccb3c1a: Principal: 7965bba4-b65d-4212-adc7-6bd27eff180e; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=0:0:0:0:0:0:0:1, tokenType=bearertokenValue= ; Granted Authorities: scope.PSCUser' 16:32:41.370/26640 [thd-1] DEBUG c.p.a.s.s.OEClientPrincipalFilter - OpenEdge CCID header not enabled NOTE: it does not like iat, but I believe iat is a required part of the JWT, and appears with the correct value in the agent log Thanks Mark
Continue reading...
OE11.7.4 Windows 64 bit I am also using the oAuth 2.0 Samples, and trying to get the JWT tokens to work. I have a need to open up part of our app through oAuth, and using JWT and oAuth built-in config seemed like a good place to try I am however getting a Client Principal error. (Procedure: 'IdmActivate.p' Line:60) client-principal validation failed in Session because - The client-principal was corrupt (16385) [19/03/05@15:37:49.536+1100] P-020756 T-014156 1 AS-4 LogMgrWrtr [IdmActivate ERROR] Client-Principal cannot be validated I believe I have followed the instructions as advertised 1) I create the JWT token as requested 2) it seems to pass through spring security OK, when i deliberately mange the token and the values within, it rejects i because of expiration date/missing scop etc 3) Token makes it into Activate procedure 4) At the time it tries to set-client, it fails lok = SECURITY-POLICY:SET-CLIENT(hCP). with client-principal validation failed in Session because - The client-principal was corrupt (16385) I've printed the contents I can see if the client principal object in activate, and it seems to see all the values correctly [19/03/05@16:32:41.524+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:37) MTR3 AUDIT-EVENT-CONTEXT [19/03/05@16:32:41.524+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:38) MTR3 CLIENT-TTY [19/03/05@16:32:41.524+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:39) MTR3 CLIENT-WORKSTATION [19/03/05@16:32:41.524+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:40) MTR3 DB-LIST ? [19/03/05@16:32:41.524+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:41) MTR3 DOMAIN-DESCRIPTION OE application: [19/03/05@16:32:41.524+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:42) MTR3 DOMAIN-NAME JWTdomain [19/03/05@16:32:41.524+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:43) MTR3 DOMAIN-TYPE OEApplication [19/03/05@16:32:41.524+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:44) MTR3 HANDLE 1082 [19/03/05@16:32:41.524+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:45) MTR3 INSTANTIATING-PROCEDURE 1061 [19/03/05@16:32:41.524+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:46) MTR3 LOGIN-EXPIRATION-TIMESTAMP 06/03/2019 04:25:14.000+11:00 [19/03/05@16:32:41.524+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:47) MTR3 LOGIN-HOST [19/03/05@16:32:41.524+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:48) MTR3 LOGIN-STATE SSO [19/03/05@16:32:41.526+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:50) MTR3 QUALIFIED-USER-ID 7965bba4-b65d-4212-adc7-6bd27eff180e@JWTdomain [19/03/05@16:32:41.526+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:51) MTR3 ROLES scope.PSCUser [19/03/05@16:32:41.526+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:52) MTR3 SEAL-TIMESTAMP 05/03/2019 16:32:41.000+11:00 [19/03/05@16:32:41.526+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:53) MTR3 SESSION-ID 0 [19/03/05@16:32:41.526+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:54) MTR3 STATE-DETAIL The CLIENT-PRINCIPAL object credentials were validated by an external system [19/03/05@16:32:41.526+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:55) MTR3 TYPE CLIENT-PRINCIPAL [19/03/05@16:32:41.526+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:56) MTR3 USER-ID 7965bba4-b65d-4212-adc7-6bd27eff180e [19/03/05@16:32:41.526+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:58) MTR3 property-names aud,token_use,iss,token_type,jti,email,client_id,username [19/03/05@16:32:41.526+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:65) MTR3 values pasoe.openedge.progress-users.com,access, nodejsJWT,bearer,random,isyed@progress.com,123456789,isyed [19/03/05@16:32:41.526+1100] P-030688 T-007588 1 AS-4 -- (Procedure: 'IdmActivate.p' Line:67) client-principal validation failed in Session because - The client-principal was corrupt (16385) How can I debug the corrupt messag above and see what is causing the corruption? NOTE: I have added DEBUG logging in PAS for the ClientPrincipal, and got the following 16:32:41.274/26544 [thd-1] DEBUG c.p.a.s.s.OEClientPrincipalFilter - OEClientPrincipleFilter processing token of type: 'org.springframework.security.oauth2.provider.OAuth2Authentication 16:32:41.281/26551 [thd-1] DEBUG c.p.a.s.s.OEClientPrincipalFilter - Substituting OEAuthenticationToken for authenticated token: 'org.springframework.security.oauth2.provider.OAuth2Authentication@8ccb3c1a: Principal: 7965bba4-b65d-4212-adc7-6bd27eff180e; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=0:0:0:0:0:0:0:1, tokenType=bearertokenValue= ; Granted Authorities: scope.PSCUser' 16:32:41.285/26555 [thd-1] DEBUG c.p.a.s.s.OEClientPrincipalFilter - Creating Domain Registry: 'com.progress.auth.OEDefaultRegistry' 16:32:41.295/26565 [thd-1] DEBUG c.p.a.s.s.OEClientPrincipalFilter - Loading Domain Registry: 'com.progress.auth.OEDefaultRegistry' 16:32:41.335/26605 [thd-1] DEBUG c.p.a.s.s.OEClientPrincipalFilter - Converting Spring token to OEAuthenticationToken: 'org.springframework.security.oauth2.provider.OAuth2Authentication@8ccb3c1a: Principal: 7965bba4-b65d-4212-adc7-6bd27eff180e; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=0:0:0:0:0:0:0:1, tokenType=bearertokenValue= ; Granted Authorities: scope.PSCUser' 16:32:41.352/26622 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - replaceToken: using non-qualified userName 7965bba4-b65d-4212-adc7-6bd27eff180e 16:32:41.353/26623 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - replaceToken: applying property derived domain: JWTdomain 16:32:41.353/26623 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Set session-id with JTI claim: 0 16:32:41.356/26626 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Set expiration with UTC EXP claim: java.util.GregorianCalendar[time=1551806714000,areFieldsSet=true,areAllFieldsSet=true,lenient=true,zone=sun.util.calendar.ZoneInfo[id="Australia/Sydney",offset=36000000,dstSavings=3600000,useDaylight=true,transitions=142,lastRule=java.util.SimpleTimeZone[id=Australia/Sydney,offset=36000000,dstSavings=3600000,useDaylight=true,startYear=0,startMode=3,startMonth=9,startDay=1,startDayOfWeek=1,startTime=7200000,startTimeMode=1,endMode=3,endMonth=3,endDay=1,endDayOfWeek=1,endTime=7200000,endTimeMode=1]],firstDayOfWeek=1,minimalDaysInFirstWeek=1,ERA=1,YEAR=2019,MONTH=2,WEEK_OF_YEAR=10,WEEK_OF_MONTH=2,DAY_OF_MONTH=6,DAY_OF_YEAR=65,DAY_OF_WEEK=4,DAY_OF_WEEK_IN_MONTH=1,AM_PM=0,HOUR=4,HOUR_OF_DAY=4,MINUTE=25,SECOND=14,MILLISECOND=0,ZONE_OFFSET=36000000,DST_OFFSET=3600000] 16:32:41.356/26626 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Generating ClientPrincipal token: 7965bba4-b65d-4212-adc7-6bd27eff180e@JWTdomain ; 0 16:32:41.358/26628 [thd-1] WARN c.p.a.s.s.OEAuthenticationTokenConverter - Could not map JWT claim iat of an unknown data type 16:32:41.358/26628 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Inserting ClientPrincipal static properties... 16:32:41.358/26628 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Inserting ClientPrincipal property aud with value: pasoe.openedge.progress-users.com 16:32:41.359/26629 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Inserting ClientPrincipal property token_use with value: access 16:32:41.359/26629 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Inserting ClientPrincipal property iss with value: https://nodejsJWT 16:32:41.359/26629 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Inserting ClientPrincipal property token_type with value: bearer 16:32:41.360/26630 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Found null value for property iat 16:32:41.360/26630 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Inserting ClientPrincipal property jti with value: random 16:32:41.360/26630 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Inserting ClientPrincipal property email with value: isyed@progress.com 16:32:41.360/26630 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Inserting ClientPrincipal property client_id with value: 123456789 16:32:41.360/26630 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Inserting ClientPrincipal property username with value: isyed 16:32:41.363/26633 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Inserting ClientPrincipal static properties... 16:32:41.363/26633 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Loading Spring authorities ... 16:32:41.364/26634 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Loading Spring authority : scope.PSCUser 16:32:41.365/26635 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Inserting ClientPrincipal roles: scope.PSCUser 16:32:41.366/26636 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Sealing ClientPrincipal token (K) 16:32:41.369/26639 [thd-1] DEBUG c.p.a.s.s.OEAuthenticationTokenConverter - Cloning Spring token with ClientPrincipal 16:32:41.370/26640 [thd-1] DEBUG c.p.a.s.s.OEClientPrincipalFilter - Replaced SecurityContextHolder with OEAuthenticationToken: from 'org.springframework.security.oauth2.provider.OAuth2Authentication@8ccb3c1a: Principal: 7965bba4-b65d-4212-adc7-6bd27eff180e; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=0:0:0:0:0:0:0:1, tokenType=bearertokenValue= ; Granted Authorities: scope.PSCUser' 16:32:41.370/26640 [thd-1] DEBUG c.p.a.s.s.OEClientPrincipalFilter - OpenEdge CCID header not enabled NOTE: it does not like iat, but I believe iat is a required part of the JWT, and appears with the correct value in the agent log Thanks MarkContinue reading...