Skip to main content


persistent class OAuth2.Client extends %Library.Persistent

SQL Table Name: OAuth2.Client

The OAuth2.Client class describes an OAuth2 client and references the Authorization server that it uses to authorize the application based on RFC 6749. A client system may be used with multiple authorization servers for different applications.

Property Inventory

Method Inventory


property AcceptNonStandardImplicitIdToken as %Boolean [ InitialExpression = 0 ];
If AcceptNonStandardImplicitIdToken is true, then this client will accept requested id tokens even when the server response they are sent in does not contain the openid scope.
Property methods: AcceptNonStandardImplicitIdTokenDisplayToLogical(), AcceptNonStandardImplicitIdTokenGet(), AcceptNonStandardImplicitIdTokenGetStored(), AcceptNonStandardImplicitIdTokenIsValid(), AcceptNonStandardImplicitIdTokenLogicalToDisplay(), AcceptNonStandardImplicitIdTokenNormalize(), AcceptNonStandardImplicitIdTokenSet()
property ApplicationName as %String (MAXLEN = 128, MINLEN = 1) [ Required ];
The ApplicationName identifies this application (client + authorization server) configuration.
Chosen by user during configuration.
Property methods: ApplicationNameDisplayToLogical(), ApplicationNameGet(), ApplicationNameGetStored(), ApplicationNameIsValid(), ApplicationNameLogicalToDisplay(), ApplicationNameLogicalToOdbc(), ApplicationNameNormalize(), ApplicationNameSet()
deprecated property AuthenticationType as %String (VALUELIST = ",none,basic,body,client_secret_jwt,private_key_jwt") [ InitialExpression = "basic" ];
**** Replaced by OAuth2.Client.Metadata properties when dynamic client support introduced
The type of authentication (as specified in RFC 6749 or OpenID Connect Core section 9) to be used for HTTP requests to the authorization server.
Property methods: AuthenticationTypeDisplayToLogical(), AuthenticationTypeGet(), AuthenticationTypeGetStored(), AuthenticationTypeIsValid(), AuthenticationTypeLogicalToDisplay(), AuthenticationTypeLogicalToOdbc(), AuthenticationTypeNormalize()
property ClientCredentials as %String;
ClientCredentials is the alias of the %SYS.X509Credentials object which contains the client's certificate and private key.
Property methods: ClientCredentialsDisplayToLogical(), ClientCredentialsGet(), ClientCredentialsGetStored(), ClientCredentialsIsValid(), ClientCredentialsLogicalToDisplay(), ClientCredentialsLogicalToOdbc(), ClientCredentialsNormalize(), ClientCredentialsSet()
property ClientId as %String);
The client id that is supplied during client registration.
Required for all ClientTypes.
Property methods: ClientIdDisplayToLogical(), ClientIdGet(), ClientIdGetStored(), ClientIdIsValid(), ClientIdLogicalToDisplay(), ClientIdLogicalToOdbc(), ClientIdNormalize(), ClientIdSet()
property ClientPassword as %String (MAXLEN = 128);
ClientPassword is the password for the private key in ClientCredentials if the password is not in the %SYS.X5009Credentials object
Property methods: ClientPasswordDisplayToLogical(), ClientPasswordGet(), ClientPasswordGetStored(), ClientPasswordIsValid(), ClientPasswordLogicalToDisplay(), ClientPasswordLogicalToOdbc(), ClientPasswordNormalize(), ClientPasswordSet()
property ClientSecret as %String);
The client secret that is supplied during client registration.
Required if ClientType is confidential or resource server.
Property methods: ClientSecretDisplayToLogical(), ClientSecretGet(), ClientSecretGetStored(), ClientSecretIsValid(), ClientSecretLogicalToDisplay(), ClientSecretLogicalToOdbc(), ClientSecretNormalize(), ClientSecretSet()
property ClientType as %String (VALUELIST = ",public,confidential,resource") [ Required ];
The type of client configuration:
public - a public client. See RFC 6749 confidential - a confidential client. See RFC 6749 resource - a resource server which is not also a client.
Chosen by user during configuration. Will usually be confidential client for an InterSystems IRIS application.
Property methods: ClientTypeDisplayToLogical(), ClientTypeGet(), ClientTypeGetStored(), ClientTypeIsValid(), ClientTypeLogicalToDisplay(), ClientTypeLogicalToOdbc(), ClientTypeNormalize(), ClientTypeSet()
property DefaultScope as %String);
The default scope, as a blank separated list, for access token requests.
Chosen by user during configuration.
Property methods: DefaultScopeDisplayToLogical(), DefaultScopeGet(), DefaultScopeGetStored(), DefaultScopeIsValid(), DefaultScopeLogicalToDisplay(), DefaultScopeLogicalToOdbc(), DefaultScopeNormalize(), DefaultScopeSet()
property Description as %String (MAXLEN = 256);
Description of the application.
Chosen by user during configuration.
Property methods: DescriptionDisplayToLogical(), DescriptionGet(), DescriptionGetStored(), DescriptionIsValid(), DescriptionLogicalToDisplay(), DescriptionLogicalToOdbc(), DescriptionNormalize(), DescriptionSet()
property Enabled as %Boolean [ InitialExpression = 1 , Required ];
True if client application is enabled.
Chosen by user during configuration.
Property methods: EnabledDisplayToLogical(), EnabledGet(), EnabledGetStored(), EnabledIsValid(), EnabledLogicalToDisplay(), EnabledNormalize(), EnabledSet()
deprecated property EncryptionAlgorithm as %String (VALUELIST = ",A128CBC-HS256,A192CBC-HS384,A256CBC-HS512");
**** Replaced by OAuth2.Client.Metadata properties when dynamic client support introduced
Property methods: EncryptionAlgorithmDisplayToLogical(), EncryptionAlgorithmGet(), EncryptionAlgorithmGetStored(), EncryptionAlgorithmIsValid(), EncryptionAlgorithmLogicalToDisplay(), EncryptionAlgorithmLogicalToOdbc(), EncryptionAlgorithmNormalize()
property JWTAudience as %String (MAXLEN = 256);
Defines the value to use for the "aud" claim in tokens generated for private_key_jwt and client_secret_jwt authentication methods, as well as for the JWT Authorization grant type. For new configurations this will be the authorization server's token endpoint by default. For backwards compatibility, if this is undefined the client will use the issuer endpoint.
Property methods: JWTAudienceDisplayToLogical(), JWTAudienceGet(), JWTAudienceGetStored(), JWTAudienceIsValid(), JWTAudienceLogicalToDisplay(), JWTAudienceLogicalToOdbc(), JWTAudienceNormalize(), JWTAudienceSet()
property JWTInterval as %Integer [ InitialExpression = 60 ];
JWTInterval is the interval in seconds after which a JWT expires which is used for client_secret_jwt or private_key_jwt authentication types. The default is 1 minute. There should be no need to change the default since this JWT may only be used once.
Property methods: JWTIntervalDisplayToLogical(), JWTIntervalGet(), JWTIntervalGetStored(), JWTIntervalIsValid(), JWTIntervalLogicalToDisplay(), JWTIntervalNormalize(), JWTIntervalSet()
deprecated property KeyAlgorithm as %String (VALUELIST = ",RSA1_5,RSA-OAEP");
**** Replaced by OAuth2.Client.Metadata properties when dynamic client support introduced
Property methods: KeyAlgorithmDisplayToLogical(), KeyAlgorithmGet(), KeyAlgorithmGetStored(), KeyAlgorithmIsValid(), KeyAlgorithmLogicalToDisplay(), KeyAlgorithmLogicalToOdbc(), KeyAlgorithmNormalize()
property Metadata as OAuth2.Client.Metadata;
The meta data which describes this client.
Property methods: MetadataGet(), MetadataGetObject(), MetadataGetObjectId(), MetadataGetStored(), MetadataGetSwizzled(), MetadataIsValid(), MetadataNewObject(), MetadataSet(), MetadataSetObject(), MetadataSetObjectId(), MetadataUnSwizzle()
property RedirectionEndpoint as OAuth2.Endpoint;
The endpoint object for the URL to be used by the authorization server to return the response to an authorization request.
Required if ClientType is public or confidential, Chosen by user during configuration.
Property methods: RedirectionEndpointGet(), RedirectionEndpointGetObject(), RedirectionEndpointGetObjectId(), RedirectionEndpointGetStored(), RedirectionEndpointGetSwizzled(), RedirectionEndpointIsEmpty(), RedirectionEndpointIsValid(), RedirectionEndpointNewObject(), RedirectionEndpointSet(), RedirectionEndpointSetObject(), RedirectionEndpointSetObjectId(), RedirectionEndpointUnSwizzle()
property SSLConfiguration as %String (MAXLEN = 64, MINLEN = 1) [ Required ];
The name of the activated TLS/SSL configuration to use for authorization server requests.
Chosen by user during configuration.
Property methods: SSLConfigurationDisplayToLogical(), SSLConfigurationGet(), SSLConfigurationGetStored(), SSLConfigurationIsValid(), SSLConfigurationLogicalToDisplay(), SSLConfigurationLogicalToOdbc(), SSLConfigurationNormalize(), SSLConfigurationSet()
relationship ServerDefinition as OAuth2.ServerDefinition [ Inverse = Clients , Cardinality = one ];
ServerDefinition is the reference to the OAuth2.ServerDefinition object which describes the authorization server to be used for this client.
Property methods: ServerDefinitionGet(), ServerDefinitionGetObject(), ServerDefinitionGetObjectId(), ServerDefinitionGetStored(), ServerDefinitionGetSwizzled(), ServerDefinitionIsValid(), ServerDefinitionNewObject(), ServerDefinitionOnDelete(), ServerDefinitionRClose(), ServerDefinitionRExec(), ServerDefinitionRFetch(), ServerDefinitionRelate(), ServerDefinitionSQLCompute(), ServerDefinitionSet(), ServerDefinitionSetObject(), ServerDefinitionSetObjectId(), ServerDefinitionUnRelate(), ServerDefinitionUnSwizzle()
deprecated property SigningAlgorithm as %String (VALUELIST = ",RS256,RS384,RS512");
**** Replaced by OAuth2.Client.Metadata properties when dynamic client support introduced
Property methods: SigningAlgorithmDisplayToLogical(), SigningAlgorithmGet(), SigningAlgorithmGetStored(), SigningAlgorithmIsValid(), SigningAlgorithmLogicalToDisplay(), SigningAlgorithmLogicalToOdbc(), SigningAlgorithmNormalize()


classmethod DeleteId(id As %String) as %Status
Delete this client configuration.
method JWTAudienceGet() as %String
classmethod Open(applicationName As %String, Output sc As %Status) as OAuth2.Client
Open an OAuth2.Client instance based on the applicationName ID property
method RefreshJWKS(force As %Boolean = 0, save As %Boolean = 1, Output sc As %Status) as %Boolean
If the server's public JWKS was specified using the jwks_uri metadata parameter, this method will fetch the jwks if it has expired.

  • force - refresh the jwks even if the cached version is still valid (default is 0)
  • save - save the client definition (default is 1)
  • sc (output) - Status code structure containing any errors
  • 1 - if the jwks was updated
  • 0 - if the cached version was still valid
method RotateKeys() as %Status
Rotate the client's public/private key pairs by adding a new key pair to the JWKS and saving the JWKS. At this time, all private keys are kept. In the future only a limited set of private keys will be kept.


query List()
SQL Query:
SELECT ApplicationName, ClientType, DefaultScope FROM Client ORDER BY ApplicationName
List client applications for SMP page
query ListForServer(serverID As %String)
SQL Query:
SELECT ApplicationName, ClientType, DefaultScope FROM Client WHERE ServerDefinition->ID=:serverID ORDER BY ApplicationName
List client applications that use the sppecified server


index (IDIndex on ApplicationName) [IdKey, Type = key, Unique];
The IDKEY for the application class.
Index methods: IDIndexCheck(), IDIndexDelete(), IDIndexExists(), IDIndexOpen(), IDIndexSQLCheckUnique(), IDIndexSQLExists(), IDIndexSQLFindPKeyByConstraint(), IDIndexSQLFindRowIDByConstraint()

Inherited Members

Inherited Methods


Storage Model: Storage (OAuth2.Client)

FeedbackOpens in a new tab