Skip to main content


persistent class OAuth2.Server.AccessToken extends %Library.Persistent

SQL Table Name: OAuth2_Server.AccessToken

Access tokens are managed by the persistent class OAuth2.Server.AccessToken. OAuth2.Server.AccessToken stores the access token and related properties. This class is also the means of communication between the various parts of the authorization server. This class is used internally by InterSystems IRIS. You should not make direct use of it within your applications. There is no guarantee made about either the behavior or future operation of this class.

Property Inventory

Method Inventory


property AccessToken as %String (COLLATION = "EXACT");
AccessToken is the access token as a string. The default access token is a random string. However, the access token is easily customized to have any structure required by the using application - for example a signed JWT.
Property methods: AccessTokenDisplayToLogical(), AccessTokenGet(), AccessTokenGetStored(), AccessTokenIsValid(), AccessTokenLogicalToDisplay(), AccessTokenLogicalToOdbc(), AccessTokenNormalize()
property AccessTokenExpires as %Integer;
AccessTokenExpires is the time in seconds from beginning of the Unix epoch when the access expires.
Property methods: AccessTokenExpiresDisplayToLogical(), AccessTokenExpiresGet(), AccessTokenExpiresGetStored(), AccessTokenExpiresIsValid(), AccessTokenExpiresLogicalToDisplay(), AccessTokenExpiresNormalize(), AccessTokenExpiresSet()
property Aud as list of %String);
aud property from request which will be checked when validating token.
Property methods: AudBuildValueArray(), AudCollectionToDisplay(), AudCollectionToOdbc(), AudDisplayToCollection(), AudDisplayToLogical(), AudGet(), AudGetObject(), AudGetObjectId(), AudGetStored(), AudGetSwizzled(), AudIsValid(), AudLogicalToDisplay(), AudLogicalToOdbc(), AudNormalize(), AudOdbcToCollection(), AudSet(), AudSetObject(), AudSetObjectId()
property AuthTime as %Integer;
The time when the user was authenticated.
Property methods: AuthTimeDisplayToLogical(), AuthTimeGet(), AuthTimeGetStored(), AuthTimeIsValid(), AuthTimeLogicalToDisplay(), AuthTimeNormalize(), AuthTimeSet()
property AuthorizationCode as %String (COLLATION = "EXACT", MAXLEN = 128) [ Required ];
AuthorizationCode is a random number which serves as the IDKey for this class and as the Authorization Code when required by the Authorization Code grant type. We use AuthorizationCode as the IDKey because it comes into existence first in the process of creating an access token
Property methods: AuthorizationCodeDisplayToLogical(), AuthorizationCodeGet(), AuthorizationCodeGetStored(), AuthorizationCodeIsValid(), AuthorizationCodeLogicalToDisplay(), AuthorizationCodeLogicalToOdbc(), AuthorizationCodeNormalize(), AuthorizationCodeSet()
property AuthorizationCodeExpires as %Integer;
AuthorizationCodeExpires is the time in seconds from the bginning of the Unix epoch when the Authorization code passed to the client expires for the Authorization Code grant type.
Property methods: AuthorizationCodeExpiresDisplayToLogical(), AuthorizationCodeExpiresGet(), AuthorizationCodeExpiresGetStored(), AuthorizationCodeExpiresIsValid(), AuthorizationCodeExpiresLogicalToDisplay(), AuthorizationCodeExpiresNormalize(), AuthorizationCodeExpiresSet()
property ClientId as %String (MAXLEN = 1024);
ClientId is the client id for the client for which this token was issued.
Property methods: ClientIdDisplayToLogical(), ClientIdGet(), ClientIdGetStored(), ClientIdIsValid(), ClientIdLogicalToDisplay(), ClientIdLogicalToOdbc(), ClientIdNormalize(), ClientIdSet()
property CodeChallenge as %String);
Code challenge used by public clients for PCKE.
Property methods: CodeChallengeDisplayToLogical(), CodeChallengeGet(), CodeChallengeGetStored(), CodeChallengeIsValid(), CodeChallengeLogicalToDisplay(), CodeChallengeLogicalToOdbc(), CodeChallengeNormalize(), CodeChallengeSet()
property CodeChallengeMethod as %String (VALUELIST = ",plain,S256") [ InitialExpression = "plain" ];
Code challenge method used by public clients for PCKE.
Property methods: CodeChallengeMethodDisplayToLogical(), CodeChallengeMethodGet(), CodeChallengeMethodGetStored(), CodeChallengeMethodIsValid(), CodeChallengeMethodLogicalToDisplay(), CodeChallengeMethodLogicalToOdbc(), CodeChallengeMethodNormalize(), CodeChallengeMethodSet()
property GrantType as %String (VALUELIST = ",A,I,P,C,J");
GrantType is the grant type that was used to create this access token: - "A" - Authorization Code - "I" - Implicit - "P" - Resource Owner Password Credentials - "C" - Client Credentials - "J" - JWT Authorization
Property methods: GrantTypeDisplayToLogical(), GrantTypeGet(), GrantTypeGetStored(), GrantTypeIsValid(), GrantTypeLogicalToDisplay(), GrantTypeLogicalToOdbc(), GrantTypeNormalize(), GrantTypeSet()
property GroupId as %String);
The ID of the group that this access token object belongs to.
Property methods: GroupIdDisplayToLogical(), GroupIdGet(), GroupIdGetStored(), GroupIdIsValid(), GroupIdLogicalToDisplay(), GroupIdLogicalToOdbc(), GroupIdNormalize(), GroupIdSet()
property Hash as %String (COLLATION = "EXACT", MAXLEN = 64);
SHA512 hash of the AccessToken to be used for indexing
Property methods: HashDisplayToLogical(), HashGet(), HashGetStored(), HashIsValid(), HashLogicalToDisplay(), HashLogicalToOdbc(), HashNormalize(), HashSet()
property IDHash as %String (COLLATION = "EXACT", MAXLEN = 64);
SHA512 hash of the IDToken to be used for indexing
Property methods: IDHashDisplayToLogical(), IDHashGet(), IDHashGetStored(), IDHashIsValid(), IDHashLogicalToDisplay(), IDHashLogicalToOdbc(), IDHashNormalize(), IDHashSet()
property IDToken as %String);
IDToken is the IDToken which is returned forf OpenID Connect requests
Property methods: IDTokenDisplayToLogical(), IDTokenGet(), IDTokenGetStored(), IDTokenIsValid(), IDTokenLogicalToDisplay(), IDTokenLogicalToOdbc(), IDTokenNormalize()
property IssuedAt as %Integer;
The time at which the active access token was issued. This may be different from AuthTime if the token was issued from a refresh token, or if it was automatically issued due to a pre-existing session.
Property methods: IssuedAtDisplayToLogical(), IssuedAtGet(), IssuedAtGetStored(), IssuedAtIsValid(), IssuedAtLogicalToDisplay(), IssuedAtNormalize(), IssuedAtSet()
property Issuer as %String (MAXLEN = 1024);
The issuer of this access token.
Property methods: IssuerDisplayToLogical(), IssuerGet(), IssuerGetStored(), IssuerIsValid(), IssuerLogicalToDisplay(), IssuerLogicalToOdbc(), IssuerNormalize(), IssuerSet()
property Properties as %OAuth2.Server.Properties;
Properties is a %OAuth2.Server.Properties object that holds the various kinds of properties and claims that are used by the auhtorization server. The various classes which are involved in the authorization and authentication code flow use the properties argument (which is this token property) to communicate amongst themselves and with the authorization server.
See the definition of the %OAuth2.Server.Properties class for details about the propertyies and claims.
Property methods: PropertiesGet(), PropertiesGetObject(), PropertiesGetObjectId(), PropertiesGetStored(), PropertiesGetSwizzled(), PropertiesIsValid(), PropertiesNewObject(), PropertiesSet(), PropertiesSetObject(), PropertiesSetObjectId(), PropertiesUnSwizzle()
property RedirectURL as %String);
The redirect used for the current token authorization
Property methods: RedirectURLDisplayToLogical(), RedirectURLGet(), RedirectURLGetStored(), RedirectURLIsValid(), RedirectURLLogicalToDisplay(), RedirectURLLogicalToOdbc(), RedirectURLNormalize(), RedirectURLSet()
property RefreshToken as %String (COLLATION = "EXACT");
RefreshToken is the refresh token as a random string that is used to refresh the access token.
Property methods: RefreshTokenDisplayToLogical(), RefreshTokenGet(), RefreshTokenGetStored(), RefreshTokenIsValid(), RefreshTokenLogicalToDisplay(), RefreshTokenLogicalToOdbc(), RefreshTokenNormalize(), RefreshTokenSet()
property RefreshTokenExpires as %Integer;
RefreshTokenExpires is the time in seconds from beginning of the Unix epoch when the refresh expires, or "" means does not expire.
Property methods: RefreshTokenExpiresDisplayToLogical(), RefreshTokenExpiresGet(), RefreshTokenExpiresGetStored(), RefreshTokenExpiresIsValid(), RefreshTokenExpiresLogicalToDisplay(), RefreshTokenExpiresNormalize(), RefreshTokenExpiresSet()
property ResponseMode as %String;
The response_mode of the access token request: query or fragment
Property methods: ResponseModeDisplayToLogical(), ResponseModeGet(), ResponseModeGetStored(), ResponseModeIsValid(), ResponseModeLogicalToDisplay(), ResponseModeLogicalToOdbc(), ResponseModeNormalize(), ResponseModeSet()
property ResponseType as %String;
The response_type of the access token request
Property methods: ResponseTypeDisplayToLogical(), ResponseTypeGet(), ResponseTypeGetStored(), ResponseTypeIsValid(), ResponseTypeLogicalToDisplay(), ResponseTypeLogicalToOdbc(), ResponseTypeNormalize(), ResponseTypeSet()
property Scope as %String);
Scope is a blank separated list of scopes that were used to issue this token.
Property methods: ScopeDisplayToLogical(), ScopeGet(), ScopeGetStored(), ScopeIsValid(), ScopeLogicalToDisplay(), ScopeLogicalToOdbc(), ScopeNormalize(), ScopeSet()
property ScopeArray as array of %String);
An array of scopes and associated descriptions. This matches the scopes in the Scope property.
Property methods: ScopeArrayBuildValueArray(), ScopeArrayCollectionToDisplay(), ScopeArrayCollectionToOdbc(), ScopeArrayDisplayToCollection(), ScopeArrayDisplayToLogical(), ScopeArrayGet(), ScopeArrayGetObject(), ScopeArrayGetObjectId(), ScopeArrayGetStored(), ScopeArrayGetSwizzled(), ScopeArrayIsValid(), ScopeArrayLogicalToDisplay(), ScopeArrayLogicalToOdbc(), ScopeArrayNormalize(), ScopeArrayOdbcToCollection(), ScopeArraySet(), ScopeArraySetObject(), ScopeArraySetObjectId()
property Stage as %String;
Stage reflects the stage of the authentication process and is used for error checking. Possible values of Stage: "new", "delegated:", "login:", "2fa:", "permission", "".
"" means process completed or not started.
is the integer count of which login attempt is taking place.
Property methods: StageDisplayToLogical(), StageGet(), StageGetStored(), StageIsValid(), StageLogicalToDisplay(), StageLogicalToOdbc(), StageNormalize(), StageSet()
property State as %String);
State to be returned to requester in redirected response
Property methods: StateDisplayToLogical(), StateGet(), StateGetStored(), StateIsValid(), StateLogicalToDisplay(), StateLogicalToOdbc(), StateNormalize(), StateSet()
property Username as %Library.Username;
Username is the username specified and validated by during authentication. $char(0) means that authentication failed.
Property methods: UsernameDisplayToLogical(), UsernameGet(), UsernameGetStored(), UsernameIsValid(), UsernameLogicalToDisplay(), UsernameLogicalToOdbc(), UsernameNormalize(), UsernameSet()


method Delete() as %Status
Delete this access token
classmethod OpenByCode(authorizationCode As %String, Output sc As %Status) as OAuth2.Server.AccessToken
Open the OAuth2.Server.AccessToken instance using AuthorizationCode.
classmethod OpenByIDToken(IDToken As %String, Output sc As %Status) as OAuth2.Server.AccessToken
Open the OAuth2.Server.AccessToken instance using IDToken.
classmethod OpenByRefresh(refreshToken As %String, Output sc As %Status) as OAuth2.Server.AccessToken
Open the OAuth2.Server.AccessToken instance using RefreshToken
classmethod OpenByToken(accessToken As %String, Output sc As %Status) as OAuth2.Server.AccessToken
Open the OAuth2.Server.AccessToken instance using AccessToken.
classmethod RevokeByClientId(clientId As %String, Output count As %Integer) as %Status
RevokeByClientId will delete all access tokens that are associated with the specified client ID. The count argument will be returned as the number of access tokens that were deleted.
classmethod RevokeByGroupId(groupId As %String, Output count As %Integer) as %Status
RevokeByGroupId will delete all access tokens that are associated with the specified group ID. The count argument will be returned as the number of access tokens that were deleted.
classmethod RevokeUser(username As %String, Output count As %Integer) as %Status
RevokeUser will delete all access tokens that are associated with the specified user. The count argument will be returned as the number of access tokens that were deleted.
method Save() as %Status
Save this OAuth2.Server.AccessToken instance.


index (AuthIndex on AuthorizationCode) [IdKey, Type = key, Unique];
The IDKEY for the access token class.
Index methods: AuthIndexCheck(), AuthIndexDelete(), AuthIndexExists(), AuthIndexOpen(), AuthIndexSQLCheckUnique(), AuthIndexSQLExists(), AuthIndexSQLFindPKeyByConstraint(), AuthIndexSQLFindRowIDByConstraint()

Inherited Members

Inherited Methods


Storage Model: Storage (OAuth2.Server.AccessToken)

FeedbackOpens in a new tab