Skip to main content

%SYS.OAuth2.Validation

class %SYS.OAuth2.Validation extends %Library.RegisteredObject

The %SYS.OAuth2.Validation class defines the methods used to validate (or invalidate) an access token.

The underlying token is stored in OAuth2.AccessToken in the CACHESYS database. OAuth2.AccessToken is indexed by the combination of SessionId and ApplicationName. Therefore, only one scope may be requested for each SessionId/ApplicationName. If a second request is made with a different scope and access token has yet been granted, the scope in the new request becomes the expected scope.
Note that this class is in CACHELIB and thus available everywhere. However, token storage storage is in CACHESYS and thus not difrectly available to most code.

Method Inventory

Methods

classmethod ValidateIDToken(applicationName As %String, IDToken As %String, accessToken As %String, scope As %String, aud As %String, Output jsonObject As %RegisteredObject, Output securityParameters As %String, Output sc As %Status) as %Boolean
ValidateIDToken validates the signed OpenID Connect ID token and creates an object to reflect the JWT properties. ValidateIDToken also validates the access token based on the at_hash property of the IDToken. The applicationName argument is the name of the client or resource server configuration which contains authorization server access data, such as authorization server ServerCredentials. The scope argument is a blank separated list of scope values. If scope is specified, the access token must have an associated scope which is a superset of the scope parameter.
The aud argument specifies the audience which is using the token. If the token has an associated aud property (usually because the audience was specified when requesting the token), then aud is matched to the token audience. If aud is not specified, then no audience checking takes place.
The claims in the JSON object are returned in jsonObject as a Cache object.
securityParameters - Array of Strings that was used to set the JSON Object Signature and/or Encryption operations to be performed on the JWT

For JSON Web Signature (JWS):
securityParameters("sigalg") - Signature or MAC algorithm

For JSON Web Encryption (JWE):
securityParameters("keyalg") - Key management algorithm
securityParameters("encalg") - Content encryption algorithm
Note, securityParameters("keyalg") and securityParameters("encalg") must both be specified or null.
See %OAuth2.JWT for the list of supported algorithms.
classmethod ValidateJWT(applicationName As %String, accessToken As %String, scope As %String, aud As %String, Output jsonObject As %RegisteredObject, Output securityParameters As %String, Output sc As %Status) as %Boolean
ValidateJWT validates the signed JWT token and creates an object to reflect the JWT properties. The applicationName argument is the name of the client or resource server configuration which contains authorization server access data, such as authorization server ServerCredentials. The scope argument is a blank separated list of scope values. If scope is specified, the JWT must contain a scope claim which is a superset of the scope parameter.
The aud argument specifies the audience which is using the token. If the token has an associated aud property (usually because the audience was specified when requesting the token), then aud is matched to the token audience. If aud is not specified, then no audience checking takes place.
The claims in the JSON object are returned in jsonObject as a Cache object.
securityParameters - Array of Strings that was used to set the JSON Object Signature and/or Encryption operations to be performed on the JWT

For JSON Web Signature (JWS):
securityParameters("sigalg") - Signature or MAC algorithm

For JSON Web Encryption (JWE):
securityParameters("keyalg") - Key management algorithm
securityParameters("encalg") - Content encryption algorithm
Note, securityParameters("keyalg") and securityParameters("encalg") must both be specified or null.
See %OAuth2.JWT for the list of supported algorithms.

Inherited Members

Inherited Methods

FeedbackOpens in a new tab