When you use Caché as an OAuth 2.0 authorization server, normally you implement the DisplayLogin() method of the Authenticate class, which displays a page where the user enters a username and password and logs in. If you instead want the server to authenticate without displaying a login form and without using the current session, then implement the DirectLogin() method of the Authenticate class. The following flowchart shows how a Caché authorization server identifies the user, when processing a request for an access token:
By default, the GetUser() method gets the username that was entered in the previous login.
Note that DisplayPermissions() is not called if you implement DirectLogin(), because DirectLogin() takes responsibility for displaying permissions.
The DirectLogin() method has the following signature:
ClassMethod DirectLogin(scope As %ArrayOfDataTypes, properties As %OAuth2.Server.Properties, Output username As %String, Output password As %String) As %Status
scope is an instance of %ArrayOfDataTypes that contains the scopes contained in the original client request, possibly modified by the BeforeAuthenticate() method. The array keys are the scope values and the array values are the corresponding display forms of the scope values.
properties is an instance of %OAuth2.Server.Properties that contains properties and claims received by the authorization server and modified by methods earlier in the processing. See “Details for the %OAuth2.Server.Properties Object.”
username, returned as output, is a username.
password, returned as output, is the corresponding password.
In your implementation, use your own logic to set the username and password arguments. To do so, use the scope and properties arguments as needed. To deny access, your method can set the username argument to $char(0). In this case, the authorization server will return the access_denied error.
The method can also set properties of properties; this object is available in later processing.
The method must return a %Status.