%OAuth2.ResourceServer.SimpleAuthenticator
class %OAuth2.ResourceServer.SimpleAuthenticator extends %OAuth2.ResourceServer.Authenticator
This class is a %OAuth2.ResourceServer.Authenticator instance that will authenticate connections based on a simple mapping. It will look in the UserClaim for the username and the RoleClaim for the Role values. Roles can additionally be filtered by an optional Prefix. This class can be extended to allow for more elaborate logic. See %OAuth2.ResourceServer.Authenticator for details.Property Inventory
Method Inventory
Properties
property Prefix as %String (MAXLEN = 256);
Optional. If specified then only values with the given prefix will be used to determine roles.
Property methods: PrefixDisplayToLogical(), PrefixGet(), PrefixIsValid(), PrefixLogicalToDisplay(), PrefixLogicalToOdbc(), PrefixNormalize(), PrefixSet()
property RoleClaim as %String (MAXLEN = 256) [ InitialExpression = "scope" ];
The claim which will be used to determine the roles. The claim value can be an array
or a space separated list. The default is "scope".
Property methods: RoleClaimDisplayToLogical(), RoleClaimGet(), RoleClaimIsValid(), RoleClaimLogicalToDisplay(), RoleClaimLogicalToOdbc(), RoleClaimNormalize(), RoleClaimSet()
property UserClaim as %String (MAXLEN = 256) [ InitialExpression = "sub" ];
The claim which will be used to determine the username. The default is "sub".
Property methods: UserClaimDisplayToLogical(), UserClaimGet(), UserClaimIsValid(), UserClaimLogicalToDisplay(), UserClaimLogicalToOdbc(), UserClaimNormalize(), UserClaimSet()
Methods
method Authenticate(claims As %DynamicObject, oidc As %Boolean, ByRef properties As %String) as %Status
Inherited description: Authenticate a connection based on the validated claims from the Authorization Server. When this is called, the access token
has already been validated, and the claims have been retrieved from the access token and/or the Authorization Server (depending on
how the OAuth2.ResourceServer is configured.) This method is used to determine the user context and roles to use for
the connection. At a minimum the Username and Roles must be defined. For example, the following implementation will retrieve the
Username from the subject ("sub") claim, and retrieve predefined role values from the scope claim.
See Security.Users for supported user properties.
Arguments:
set properties("Username") = claims.sub // use the subject claim as the username
// extract the expected role names from the scope list:
set scopeList = $listfromstring(claims.scope, " ")
set roles = ""
for r = "MyRole1","MyRole2","MyRole3" {
if $listfind(scopeList,r) {
set roles = roles_r_","
}
}
set properties("Roles") = $extract(roles,1,*-1)
return $$$OK
Arguments:
- claims - A %DynamicObject containing the claim values determined from the access token, OAuth2 introspection endpoint and/or the OpenID Connect userinfo endpoint.
- oidc - A boolean flag indicating whether OpenID Connect claims are included in the claims array.
- properties - A subscripted array containing, at a minimum, the Username and Roles to use for the connection.
method DetermineRoles(claims) as %String
Determine the roles to use given the specified claims.
method DetermineUser(claims As %DynamicObject) as %String
Determine the username to use given the specified claims.
Inherited Members
Inherited Methods
- %AddToSaveSet()
- %ClassIsLatestVersion()
- %ClassName()
- %ConstructClone()
- %DispatchClassMethod()
- %DispatchGetModified()
- %DispatchGetProperty()
- %DispatchMethod()
- %DispatchSetModified()
- %DispatchSetMultidimProperty()
- %DispatchSetProperty()
- %Extends()
- %GetParameter()
- %IsA()
- %IsModified()
- %JSONExport()
- %JSONExportToStream()
- %JSONExportToString()
- %JSONImport()
- %JSONNew()
- %New()
- %NormalizeObject()
- %ObjectModified()
- %OriginalNamespace()
- %PackageName()
- %RemoveFromSaveSet()
- %SerializeObject()
- %SetModified()
- %ValidateObject()
- ProcessOIDC()