Skip to main content

Implementing DirectLogin()

When you use Caché as an OAuth 2.0 authorization server, normally you implement the DisplayLogin() method of the Authenticate class, which displays a page where the user enters a username and password and logs in. If you instead want the server to authenticate without displaying a login form and without using the current session, then implement the DirectLogin() method of the Authenticate class. The following flowchart shows how a Caché authorization server identifies the user, when processing a request for an access token:

generated description: identify-user

By default, the GetUser() method gets the username that was entered in the previous login.

Note that DisplayPermissions() is not called if you implement DirectLogin(), because DirectLogin() takes responsibility for displaying permissions.

The DirectLogin() method has the following signature:

ClassMethod DirectLogin(scope As %ArrayOfDataTypes, 
                        properties As %OAuth2.Server.Properties, 
                        Output username As %String, 
                        Output password As %String) As %Status

Where:

  • scope is an instance of %ArrayOfDataTypesOpens in a new tab that contains the scopes contained in the original client request, possibly modified by the BeforeAuthenticate() method. The array keys are the scope values and the array values are the corresponding display forms of the scope values.

  • properties is an instance of %OAuth2.Server.PropertiesOpens in a new tab that contains properties and claims received by the authorization server and modified by methods earlier in the processing. See “Details for the %OAuth2.Server.Properties Object.”

  • username, returned as output, is a username.

  • password, returned as output, is the corresponding password.

In your implementation, use your own logic to set the username and password arguments. To do so, use the scope and properties arguments as needed. To deny access, your method can set the username argument to $char(0). In this case, the authorization server will return the access_denied error.

The method can also set properties of properties; this object is available in later processing.

The method must return a %StatusOpens in a new tab.

FeedbackOpens in a new tab