Open Exchange
Global Masters
Home > Class Reference > %SYS namespace > OAuth2.Server.OpenID
Private  Storage   


class OAuth2.Server.OpenID extends

The authorization server supports the OpenId Connect specification. The OAuth2.Server.OpenID class is a helper class which contains the OpenID functionality. This class is used internally by InterSystems IRIS. You should not make direct use of it within your applications. There is no guarantee made about either the behavior or future operation of this class.


Parameters Properties Methods Queries Indices ForeignKeys Triggers


%%OIDGet %AddToSaveSet %BindExport %BuildObjectGraph
%ClassIsLatestVersion %ClassName %Close %ConstructClone
%DispatchClassMethod %DispatchGetModified %DispatchGetProperty %DispatchMethod
%DispatchSetModified %DispatchSetMultidimProperty %DispatchSetProperty %Extends
%GetParameter %IncrementCount %IsA %IsModified
%New %NormalizeObject %ObjectModified %OriginalNamespace
%PackageName %RemoveFromSaveSet %SerializeObject %SetModified
%ValidateObject AddRequiredClaims AddScopeClaims CreateIDToken
Hash IsOpenID SetAudClaim Validate


• classmethod AddRequiredClaims(json As %DynamicObject, token As OAuth2.Server.AccessToken)
The additional properties that are required for OpenID.
• classmethod AddScopeClaims(token As OAuth2.Server.AccessToken)
Add claims that are based on scopes. Always add default claims.
• classmethod CreateIDToken(token As OAuth2.Server.AccessToken, Output sc As %Status) as %String
Add the additional properties that are needed for the IDToken Create an IDToken based on token properties. We assume %server is the server configuration.
• classmethod Hash(alg As %String, tokenString As %String) as %String
Compute the token hash
• classmethod IsOpenID(scope As %String) as %Boolean
Is this an OpenID authorization request? Find out by looking for openid scope.
• classmethod SetAudClaim(json As %DynamicObject, token As OAuth2.Server.AccessToken, openid As %Boolean)
Set the aud claim for the JSON object
• classmethod Validate(applicationName As %String, IDToken As %String, accessToken As %String, scope As %String, aud As %String, Output jsonObject As %RegisteredObject, Output securityParameters As %String, Output sc As %Status) as %Boolean
Validate validates the signed OpenID Connect ID token and creates an object to reflect the JWT properties. Validate also validates the access token based on the at_hash property of the IDToken. The applicationName argument is the name of the client or resource server configuration which contains authorization server access data, such as authorization server ServerCredentials. The scope argument is a blank separated list of scope values. If scope is specified, the acces token must have an associated scope which is a superset of the scope parameter.
The aud argument specifies the audience which is using the token. If the token has an associated aud property (usually because the audience was specified when requesting the token), then aud is matched to the token audience. If aud is not specified, then no audience checking takes place.
The claims in the JSON object are returned in jsonObject .
securityParameters - Array of Strings that was used to set the JSON Object Signature and/or Encryption operations to be performed on the JWT

See %OAuth2.JWT for the list of supported algorithms.
For JSON Web Signature (JWS):
securityParameters("sigalg") - Signature or MAC algorithm.
For JSON Web Encryption (JWE):
securityParameters("keyalg") - Key management algorithm
Note, securityParameters("keyalg") and securityParameters("encalg") must both be specified or null.
See %OAuth2.JWT for the list of supported algorithms.
• classmethod VerifyAudience(objectAudience, aud As %String, clientId As %String) as %Boolean
Verify audience from the JSON object (objectAudience) against the audience from the resource server The resource server audience is the aud argument, or if aud="" the client_id.