Class Reference
IRIS for UNIX 2019.2
InterSystems: The power behind what matters   
Documentation  Search
  [%SYS] >  [%SYS] >  [OAuth2] >  [Validation]
Private  Storage   

class %SYS.OAuth2.Validation extends %RegisteredObject

The %SYS.OAuth2.Validation class defines the methods used to validate (or invalidate) an access token.

The underlying token is stored in OAuth2.AccessToken in the system database. OAuth2.AccessToken is indexed by the combination of SessionId and ApplicationName. Therefore, only one scope may be requested for each SessionId/ApplicationName. If a second request is made with a different scope and access token has yet been granted, the scope in the new request becomes the expected scope.
Note that this class is in library database and thus available everywhere. However, token storage storage is in the system database and thus not difrectly available to most code.

Inventory

Parameters Properties Methods Queries Indices ForeignKeys Triggers
3


Summary

Methods
%AddToSaveSet %ClassIsLatestVersion %ClassName %ConstructClone
%DispatchClassMethod %DispatchGetModified %DispatchGetProperty %DispatchMethod
%DispatchSetModified %DispatchSetMultidimProperty %DispatchSetProperty %Extends
%GetParameter %IsA %IsModified %New
%NormalizeObject %ObjectModified %OriginalNamespace %PackageName
%RemoveFromSaveSet %SerializeObject %SetModified %ValidateObject
ValidateIDToken ValidateJWT


Methods

• classmethod ValidateIDToken(applicationName As %String, IDToken As %String, accessToken As %String, scope As %String, aud As %String, Output jsonObject As %RegisteredObject, Output securityParameters As %String, Output sc As %Status) as %Boolean
ValidateIDToken validates the signed OpenID Connect ID token and creates an object to reflect the JWT properties. ValidateIDToken also validates the access token based on the at_hash property of the IDToken. The applicationName argument is the name of the client or resource server configuration which contains authorization server access data, such as authorization server ServerCredentials. The scope argument is a blank separated list of scope values. If scope is specified, the access token must have an associated scope which is a superset of the scope parameter.
The aud argument specifies the audience which is using the token. If the token has an associated aud property (usually because the audience was specified when requesting the token), then aud is matched to the token audience. If aud is not specified, then no audience checking takes place.
The claims in the JSON object are returned in jsonObject .
securityParameters - Array of Strings that was used to set the JSON Object Signature and/or Encryption operations to be performed on the JWT

For JSON Web Signature (JWS):
securityParameters("sigalg") - Signature or MAC algorithm

For JSON Web Encryption (JWE):
securityParameters("keyalg") - Key management algorithm
securityParameters("encalg") - Content encryption algorithm
Note, securityParameters("keyalg") and securityParameters("encalg") must both be specified or null.
See %OAuth2.JWT for the list of supported algorithms.
• classmethod ValidateJWT(applicationName As %String, accessToken As %String, scope As %String, aud As %String, Output jsonObject As %RegisteredObject, Output securityParameters As %String, Output sc As %Status) as %Boolean
ValidateJWT validates the signed JWT token and creates an object to reflect the JWT properties. The applicationName argument is the name of the client or resource server configuration which contains authorization server access data, such as authorization server ServerCredentials. The scope argument is a blank separated list of scope values. If scope is specified, the JWT must contain a scope claim which is a superset of the scope parameter.
The aud argument specifies the audience which is using the token. If the token has an associated aud property (usually because the audience was specified when requesting the token), then aud is matched to the token audience. If aud is not specified, then no audience checking takes place.
The claims in the JSON object are returned in jsonObject .
securityParameters - Array of Strings that was used to set the JSON Object Signature and/or Encryption operations to be performed on the JWT

For JSON Web Signature (JWS):
securityParameters("sigalg") - Signature or MAC algorithm

For JSON Web Encryption (JWE):
securityParameters("keyalg") - Key management algorithm
securityParameters("encalg") - Content encryption algorithm
Note, securityParameters("keyalg") and securityParameters("encalg") must both be specified or null.
See %OAuth2.JWT for the list of supported algorithms.


Copyright (c) 2019 by InterSystems Corporation. Cambridge, Massachusetts, U.S.A. All rights reserved. Confidential property of InterSystems Corporation.