Class Reference
IRIS for UNIX 2019.2
InterSystems: The power behind what matters   
Documentation  Search
  [%SYS] >  [OAuth2] >  [Server] >  [Configuration]
Private  Storage   

persistent class OAuth2.Server.Configuration extends %Persistent

The authorization server configuration is maintained by the OAuth2.Server.Configuration class. We supply an SMP page, %CSP.UI.Portal.OAuth2.Server, which configures the OAuth2 server as part of the SMP. It is possible customize the authorization server by replacing this page by a user written page which maintains the OAuth2.Server.Configuration class instance. This class is used internally by InterSystems IRIS. You should not make direct use of it within your applications. There is no guarantee made about either the behavior or future operation of this class.

Inventory

Parameters Properties Methods Queries Indices ForeignKeys Triggers
2 31 18 1


Summary

Properties
AccessTokenInterval AllowUnsupportedScope AudRequired AuthenticateClass
AuthorizationCodeInterval ClientSecretInterval CustomizationNamespace CustomizationRoles
DefaultScope Description EncryptionAlgorithm GenerateTokenClass
IssuerEndpoint JWKSFromCredentials KeyAlgorithm Metadata
RefreshTokenInterval ReturnRefreshToken SSLConfiguration ServerCredentials
ServerPassword SessionClass SessionInterval SigningAlgorithm
SupportSession SupportedGrantTypes SupportedScopes ValidateUserClass

Methods
%AddToSaveSet %AddToSyncSet %BMEBuilt %CheckConstraints
%CheckConstraintsForExtent %ClassIsLatestVersion %ClassName %ComposeOid
%ConstructClone %Delete %DeleteExtent %DeleteId
%DispatchClassMethod %DispatchGetModified %DispatchGetProperty %DispatchMethod
%DispatchSetModified %DispatchSetMultidimProperty %DispatchSetProperty %Exists
%ExistsId %Extends %GUID %GUIDSet
%GetLock %GetParameter %GetSwizzleObject %Id
%InsertBatch %IsA %IsModified %IsNull
%KillExtent %KillExtentData %LoadFromMemory %LockExtent
%LockId %New %NormalizeObject %ObjectIsNull
%ObjectModified %Oid %OnBeforeAddToSync %OnDetermineClass
%Open %OpenId %OriginalNamespace %PackageName
%PhysicalAddress %PurgeIndices %Reload %RemoveFromSaveSet
%ResolveConcurrencyConflict %RollBack %Save %SaveDirect
%SaveIndices %SerializeObject %SetModified %SortBegin
%SortEnd %SyncObjectIn %SyncTransport %UnlockExtent
%UnlockId %ValidateIndices %ValidateObject Delete
GetSupportedAlgorithms Open RotateKeys Save


Parameters

• parameter HTTP200OK = "200 OK";
• parameter HTTP500INTERNALSERVERERROR = "500 Internal Server Error";

Properties

• property AccessTokenInterval as %Integer(MINVAL=1) [ InitialExpression = 3600,Required ];
AccessTokenInterval is the interval in seconds after which an access token issued by this server will expire. The default is 3600 seconds.
• property AllowUnsupportedScope as %Boolean [ InitialExpression = 0 ];
If AllowUnsupportedScope is true (1), then unsupported scope values will be ignored. Otherwise, an error will be returned.
• property AudRequired as %Boolean;
If AudRequired is true, then an authorization code and implicit requests require the aud property.
• property AuthenticateClass as %String(MAXLEN=256,MINLEN=1) [ InitialExpression = "%OAuth2.Server.Authenticate",Required ];
AuthenticateClass is the name of a subclass of %OAuth2.Server.Authenticate which will be used to allow override of the DirectLogin, DisplayLogin and DisplayPermissions methods during user authorization.
• property AuthorizationCodeInterval as %Integer(MINVAL=1) [ InitialExpression = 60,Required ];
AuthorizationCodeInterval is the interval in seconds after which an authorization code issued by this server will expire. The default is 60 seconds.
• property ClientSecretInterval as %Integer(MINVAL=0) [ InitialExpression = 0 ];
ClientSecretInterval is the interval in seconds after which a client secret will expire. The default value of 0 means the session will not be automatically terminated.
• property CustomizationNamespace as %String [ Required ];
CustomizationNamespace is the namespace where the customization code is to be run.
• property CustomizationRoles as %String(MAXLEN=1024,MINLEN=1) [ Required ];
CustomizationRoles is a comma separated list of roles that are set for any call to user supplied customization code.
• property DefaultScope as %String(MAXLEN=1024);
DefaultScope is a blank separated list containing the default for access token scope if scope is not specified in the access token request or in the client configuration.
• property Description as %String(MAXLEN=1024);
Description is a human readable of this authorization server.
• property EncryptionAlgorithm as %String(VALUELIST=",A128CBC-HS256,A192CBC-HS384,A256CBC-HS512");
EncryptionAlgorithm specifies the default encryption algorithm used to create JWEs or "" if JWTs are not to be encrypted. EncryptionAlgorithm is used for any client specific algorithm which is not specified. See %OAuth2.JWT for the list of supported algorithms. If EncryptionAlgorithm is specified, KeyAlgorithm must also be specified.
• property GenerateTokenClass as %String(MAXLEN=256,MINLEN=1) [ InitialExpression = "%OAuth2.Server.Generate",Required ];
GenerateTokenClass is the name of a class with the same signatures as OAuth2.Server.Generate which overrides the GenerateToken method. The GenerateToken method of OAuth2.Server.AccessToken generates an opaque token consisting of a random number. We will also supply an %OAuth2.Server.JWT subclass of OAuth2.Server.AccessToken which will generate a signed JWT based on the token properties.
• property IssuerEndpoint as OAuth2.Endpoint [ Required ];
IssuerEndpoint is the endpoint for this authorization server.
• property JWKSFromCredentials as %Boolean [ InitialExpression = 0 ];
JWKSFromCredentials is true if the JWKSs were created from ServerCredentials.
This property should never be set directly for configuration.
• property KeyAlgorithm as %String(VALUELIST=",RSA1_5,RSA-OAEP,A128KW,A192KW,A256KW");
KeyAlgorithm specifies the default key management algorithm used to create JWEs or "" if JWTs are not to be encrypted. Keylgorithm is used for any client specific algorithm which is not specified. See %OAuth2.JWT for the list of supported algorithms. If KeyAlgorithm is specified, EncryptionAlgorithm must also be specified.
• property Metadata as OAuth2.Server.Metadata;
The meta data which describes this authorization server,
• property RefreshTokenInterval as %Integer(MINVAL=1) [ InitialExpression = 86400,Required ];
RefreshTokenInterval is the interval in seconds after which a refresh token issued by this server will expire. The default is 24 hours = 86400 seconds.
• property ReturnRefreshToken as %String;
ReturnRefreshToken defines the conditions under which a refresh token is returned along with the access token. This property is a string of multiple condition characters which are OR'ed. "" means only return a RefreshToken as required by OpenID Connect.
- "a" - Always - "c" - Confidential client - "f" - if offline_access scope requested
• property SSLConfiguration as %String(MAXLEN=64);
The name of the activated TLS/SSL configuration to use loading a request object.
Chosen by user during configuration.
• property ServerCredentials as %String;
ServerCredentials is the alias of the %SYS.X509Credentials object which contains the authoriization server's certificate and private key.
• property ServerPassword as %String(MAXLEN=128);
ServerPassword is the password for the private key in ServerCredentials if the password is not in the %SYS.X5009Credentials object
• property SessionClass as %String(MAXLEN=256,MINLEN=1) [ InitialExpression = "OAuth2.Server.Session",Required ];
SessionClass is the name of a class with the same signatures as OAuth2.Server.Session which includes GetUser, Login and Logout methods. These methods maintain an OAuth 2.0 session using any appropriate means. The default OAuth2.Session class uses an httpOnly cookie.
• property SessionInterval as %Integer(MINVAL=0) [ InitialExpression = 86400,Required ];
SessionInterval is the interval in seconds after which a user session will be automatically terminated. The value 0 means the session will not be automatically terminated. The default is 24 hours = 86400 seconds.
• property SigningAlgorithm as %String(VALUELIST=",RS256,RS384,RS512");
SigningAlgorithm specifies the default signing algorithm used to create JWSs or "" if JWTs are not to be signed. SigningAlgorithm is used for any client specific algorithm which is not specified. See %OAuth2.JWT for the list of supported algorithms.
• property SupportSession as %Boolean;
If SupportSession is true, then OAuth 2.0 user sessions will be supported using the specified SessionClass.
• property SupportedGrantTypes as %String(MAXLEN=5,MINLEN=1);
**** Moved to OAuth2.Server.Metadata when dynamic client support introduced
SupportedGrantTypes is the grant types that are supported to create an access token. This property is a string of 1 to 5 characters with one character for each supported grant type as follows:
- "A" - Authorization Code - "I" - Implicit - "P" - Resource Owner Password Credentials - "C" - Client Credentials - "J" - JWT Authorization
• property SupportedScopes as array of %String(MAXLEN=1024) [ Required ];
SupportedScopes is a %ArrayOfDatatypes which specifies all scopes supported by this Authorization Server. The index for each array element is the scope and the value is the description of the scope for display.
• property ValidateUserClass as %String(MAXLEN=256,MINLEN=1) [ InitialExpression = "%OAuth2.Server.Validate",Required ];
ValidateUserClass is the name of a class with the same signatures as %OAuth2.Server.Validate which may override the ValidateUser method which validates a user and associates a set of properties with this user.

Methods

• classmethod Delete() as %Status
Delete this configuration.
• classmethod GetSupportedAlgorithms(Output sigalgs As %List, Output encalgs As %List, Output keyalgs As %List)
Get server supported algorithms
• classmethod Open(Output sc As %Status) as OAuth2.Server.Configuration
Open the single OAuth2.Server.Configuration instance.
• method RotateKeys() as %Status
Rotate the auhtorization server's public/private key pairs by adding a new key pair to the JWKS and saving the JWKS. At this time, all private keys are kept. In the future only a limited set of private keys will be kept.
• method Save() as %Status
Save the single OAuth2.Server.Configuration instance. If this is the first time the configuration is saved, the Save method will also create a CSP application for this authorization server. The CSP application will be /csp/oauth2server.

Indices

•index (IDIndex on Key) [IdKey,Unique];
The IDKEY for the singleton configuration class.


Copyright (c) 2019 by InterSystems Corporation. Cambridge, Massachusetts, U.S.A. All rights reserved. Confidential property of InterSystems Corporation.