%SYS.OAuth2.Validation

class %SYS.OAuth2.Validation extends %Library.RegisteredObject

The %SYS.OAuth2.Validation class defines the methods used to validate an access token or ID token.

Method Inventory

Methods

classmethod ValidateIDToken(applicationName As %String, IDToken As %String, accessToken As %String, scope As %String, aud As %String, Output jsonObject As %RegisteredObject, Output securityParameters As %String, Output sc As %Status) as %Boolean
ValidateIDToken validates the signed OpenID Connect ID token and creates an object to reflect the JWT properties.
ValidateIDToken also validates the access token based on the at_hash property of the IDToken.
  • applicationName - the name of the client or resource server configuration which contains authorization server access data, such as authorization server ServerCredentials.
  • scope - a blank separated list of scope values. If scope is specified, the JWT must contain a scope claim which is a superset of the this parameter.
  • aud - the audience which is using the token. If the token has an associated aud property (usually because the audience was specified when requesting the token), then aud is matched to the token audience. If aud is not specified, then no audience checking takes place.
  • jsonObject - a JSON Object containing the claims in the JWT.
  • securityParameters - an array of strings indicating the signature and/or encryption operations to be performed on the ID Token.

    For JSON Web Signature (JWS):
    • securityParameters("sigalg") - Signature or MAC algorithm.

    For JSON Web Encryption (JWE):
    • securityParameters("keyalg") - Key management algorithm.
    • securityParameters("encalg") - Content encryption algorithm.

    Note, securityParameters("keyalg") and securityParameters("encalg") must both be specified or null.
    See %OAuth2.JWT for the list of supported algorithms.
classmethod ValidateJWT(applicationName As %String, accessToken As %String, scope As %String, aud As %String, Output jsonObject As %RegisteredObject, Output securityParameters As %String, Output sc As %Status) as %Boolean
ValidateJWT validates the given JWT token and creates an object to reflect the JWT properties.
This method will accept both signed and unsigned tokens. Applications that require tokens to be signed should inspect securityParameters("sigalg"). If this value is undefined, then the given token was not signed.
  • applicationName - the name of the client or resource server configuration which contains authorization server access data, such as authorization server ServerCredentials.
  • scope - a blank separated list of scope values. If scope is specified, the JWT must contain a scope claim which is a superset of the this parameter.
  • aud - the audience which is using the token. If the token has an associated aud property (usually because the audience was specified when requesting the token), then aud is matched to the token audience. If aud is not specified, then no audience checking takes place.
  • jsonObject - a JSON Object containing the claims in the JWT.
  • securityParameters - an array of strings indicating the signature and/or encryption operations to be performed on the JWT.

    For JSON Web Signature (JWS):
    • securityParameters("sigalg") - Signature or MAC algorithm. This will only be set if the JWT is signed.

    For JSON Web Encryption (JWE):
    • securityParameters("keyalg") - Key management algorithm.
    • securityParameters("encalg") - Content encryption algorithm.

    Note, securityParameters("keyalg") and securityParameters("encalg") must both be specified or null.
    See %OAuth2.JWT for the list of supported algorithms.

Inherited Members

Inherited Methods

Feedback