PowerServer 2025 Help
Using Okta OIDC (OpenID Connect)

In this section, we will modify the PowerBuilder application settings and source code to achieve the following results:

The token URL is where you can get a token.

Instead of hard-coding the token URL in the application scripts, we will specify the token URL in an INI file, so that the URL can be modified without affecting the scripts.

Step 1: Create an INI file in the same location as the PBT file and name it CloudSetting.ini.

Step 2: Specify the URL for requesting the token from Okta in the INI file.

[Setup]
TokenURL= https://dev-02923419.okta.com/oauth2/default/v1/token

To modify the PowerBuilder application source code to get a token from the authentication server:

Step 1: Declare the following global variables.

//Token expiresin
Long gl_Expiresin
//Refresh token clockskew 
Long gl_ClockSkew = 3

Step 2: Add the following scripts to Okta login window.

When the application starts, the application displays the login window. You can enter the username and password to sign in.

forward
global type w_login from window
end type
type wb_1 from webbrowser within w_login
end type
end forward

global type w_login from window
integer width = 3643
integer height = 2332
boolean titlebar = true
string title = "Okta login"
boolean controlmenu = true
windowtype windowtype = response!
long backcolor = 67108864
string icon = "AppIcon!"
boolean center = true
wb_1 wb_1
end type
global w_login w_login

type variables
string is_url
end variables
on w_login.create
this.wb_1=create wb_1
this.Control[]={this.wb_1}
end on

on w_login.destroy
destroy(this.wb_1)
end on

event open;
is_url = message.StringParm

wb_1.Navigate(is_url)
end event

type wb_1 from webbrowser within w_login
integer x = 14
integer y = 28
integer width = 3598
integer height = 2192
end type

event resourceredirect;String ls_locationUrl
ls_locationUrl = RedirectUrl

If Pos (ls_locationUrl, "code=" ) > 0 Then
          CloseWithReturn(Parent, ls_locationUrl)
end If
end event

Step 3: Define a global function and name it f_Authorization().

Select from menu File > New; in the New dialog, select the PB Object tab and then select Function and click OK to add a global function.

This global function uses the HTTP Post method to send the user credentials to the authorization server and then gets the identity token from the HTTP Authorization header.

Add scripts to the f_Authorization() function to implement the following scenario:

Scripts for scenario 1:

When the application starts, the client ID and secret stored in the application as well as the authorization code from the login window will be sent to Okta to get the token, and when the token expires, the login window displays for the user to input the username and password again.

//Integer f_Authorization() for authorization_code
//Code from login window
OAuthClient    loac_Client
TokenRequest   ltr_Request
TokenResponse  ltr_Response
String  ls_URL, ls_URL_Code, ls_code
String  ls_TokenType, ls_AccessToken
String  ls_type, ls_description, ls_uri, ls_state
String  ls_ClientID, ls_ClientSecret, ls_Scope, ls_RedirectUri
Integer  li_Return, li_rtn
Long   ll_Rand

li_rtn = -1
ls_url = profilestring("CloudSetting.ini","setup","TokenURL","")

//okta login window
ll_Rand = Rand(32767)
ls_ClientID = "0oa2gio6k8k1kJDGQ5d7"
ls_ClientSecret = "Z6qh64ih-SGliIN-6U0r0Ycyd4MYayM_WDdYaJAW"
ls_Scope = "openid"
ls_RedirectUri = "http://localhost:5099/authorization-code/callback"

ls_Url_code = "https://dev-02923419.okta.com/oauth2/default/v1/authorize?client_id=" + ls_ClientID +&
 "&redirect_uri=" + ls_RedirectUri + &
 "&scope=" + ls_Scope + &
 "&response_type=code&state=state-" + String(ll_Rand)
OpenWithParm ( w_login,ls_Url_code )
ls_code = Message.Stringparm
If Len (ls_code) < 1 Then Return li_rtn
If Pos(ls_code, "code=") < 0 Then return li_rtn
ls_code = Mid (ls_code, pos(ls_code,"code=") + 5)
If Pos(ls_code, "&state") < 0 Then return li_rtn
ls_code = Mid (ls_code, 1,pos(ls_code,"&state") - 1)

//TokenRequest
ltr_Request.Method = "POST"
ltr_Request.tokenlocation = ls_url
ltr_Request.granttype = "authorization_code"
ltr_Request.clientid = ls_ClientID
ltr_Request.clientsecret = ls_ClientSecret
ltr_Request.ClearParams()
ltr_Request.AppendParam("grant_type","authorization_code")
ltr_Request.AppendParam("client_id", ls_ClientID)
ltr_Request.AppendParam("client_secret", ls_ClientSecret)
ltr_Request.AppendParam("scope", ls_Scope)
ltr_Request.AppendParam("code", ls_code)
ltr_Request.AppendParam("redirect_uri", ls_RedirectUri)
ltr_Request.ClearHeaders()
ltr_Request.SetHeader("Content-Type","application/x-www-form-urlencoded")

loac_Client = Create OAuthClient
li_Return = loac_Client.AccessToken(ltr_Request, ltr_Response)
If li_Return = 1 and ltr_Response.GetStatusCode () = 200 Then
 ls_TokenType = ltr_Response.gettokentype()
 ls_AccessToken = ltr_Response.GetAccessToken()
 //Application Set Authorization Header
 Getapplication().SetHttpRequesTheader("Authorization", ls_TokenType + " " +ls_AccessToken, true)
 //Set Global Variables
 gl_Expiresin = ltr_Response.getexpiresin()

 li_rtn = 1
Else
 li_Return = ltr_Response.GetTokenError(ls_type, ls_description, ls_uri, ls_state)
 MessageBox ("AccessToken Falied", "Return :" + String (li_Return ) + "~r~n" + ls_description)
End If

If IsValid (loac_Client) Then DesTroy (loac_Client)

Return li_rtn

Step 4: Insert a timing object (timing_1) to the application and add the following scripts to the Timer event of timing_1.

1) Open the application object and then select from menu Insert > Object > Timing to add a timing object to the application.

2) Add the following scripts to the Timer event of timing_1.

//Authorization
f_Authorization()

When displayed in the source editor, the Timer event looks like this:

event timer;//Authorization
f_Authorization()
end event

Step 5: Add the following scripts to the SystemError event.

The scripts will trigger the SystemError event when the session or license encounters an error; and if the token is invalid or expires, the scripts will call the f_Authorization function to get the token again.

Choose Case error.Number
 Case 220  to 229 //Session Error
  MessageBox ("Session Error", "Number:" + String(error.Number) + "~r~nText:" + error.Text )
 Case 230  to 239 //License Error
  MessageBox ("License Error", "Number:" + String(error.Number) + "~r~nText:" + error.Text )
 Case 240  to 249 //Token Error
  MessageBox ("Token Error", "Number:" + String(error.Number) + "~r~nText:" + error.Text )
  //Authorization
  f_Authorization()
 Case Else
  MessageBox ("SystemError", "Number:" + String(error.Number) + "~r~nText:" + error.Text )
End Choose

By default, the user session is automatically created when the application starts; and the session includes no token. For the session to include the token, the session must be started manually by code instead of automatically.

To start the session manually by code,

Step 1: Select the "Dynamic session parameters" option in the PowerBuilder IDE. (Steps: Open the application object painter, click Additional Properties in the application's Properties dialog; in the Application dialog, select the PowerServer tab and then select the Dynamic session parameters option and click Apply.)

Step 2: Call the BeginSession function in the application Open event.

Place the following scripts before the database connection is established. The scripts create the user session which includes the token information.

If IsPowerServerApp() Then
 //Authorization
 If f_Authorization() <> 1 Then
  Return
 End If
 
 //StartSession
 long ll_return
 Try
 ll_return = Beginsession()
 If ll_return <> 0 Then
   Messagebox("Beginsession Failed:" + String(ll_return), GetHttpResponseStatusText())
  End if
 Catch ( Throwable ex)
  MessageBox( "Throwable", ex.GetMessage())
  Return
 End Try

 //Refresh Token for timing
 If gl_Expiresin > 0 And (gl_Expiresin - gl_ClockSkew) > 0 Then
  //Timer = Expiresin - ClockSkew 
  //7200 - 3
  timing_1.Start(gl_Expiresin - gl_ClockSkew)
 End If
End If

// Connect db