Skip to main content


class OAuth2.Server.OpenID extends %Library.RegisteredObject

The authorization server supports the OpenId Connect specification. The OAuth2.Server.OpenID class is a helper class which contains the OpenID functionality. This class is used internally by InterSystems IRIS. You should not make direct use of it within your applications. There is no guarantee made about either the behavior or future operation of this class.

Method Inventory


classmethod CreateIDToken(token As OAuth2.Server.AccessToken, Output sc As %Status) as %String
Add the additional properties that are needed for the IDToken Create an IDToken based on token properties. We assume %server is the server configuration.
classmethod Hash(alg As %String, tokenString As %String) as %String
Compute the token hash
classmethod IsOpenID(scope As %String) as %Boolean
Is this an OpenID authorization request? Find out by looking for openid scope.
classmethod Validate(applicationName As %String, IDToken As %String, accessToken As %String, scope As %String, aud As %String, Output jsonObject As %RegisteredObject, Output securityParameters As %String, Output sc As %Status) as %Boolean
Validate validates the signed OpenID Connect ID token and creates an object to reflect the JWT properties. Validate also validates the access token based on the at_hash property of the IDToken. The applicationName argument is the name of the client or resource server configuration which contains authorization server access data, such as authorization server ServerCredentials. The scope argument is a blank separated list of scope values. If scope is specified, the acces token must have an associated scope which is a superset of the scope parameter.
The aud argument specifies the audience which is using the token. If the token has an associated aud property (usually because the audience was specified when requesting the token), then aud is matched to the token audience. If aud is not specified, then no audience checking takes place.
The claims in the JSON object are returned in jsonObject .
securityParameters - Array of Strings that was used to set the JSON Object Signature and/or Encryption operations to be performed on the JWT

See %Net.JSON.JWA for the list of supported algorithms.
For JSON Web Signature (JWS):
securityParameters("sigalg") - Signature or MAC algorithm.
For JSON Web Encryption (JWE):
securityParameters("keyalg") - Key management algorithm
Note, securityParameters("keyalg") and securityParameters("encalg") must both be specified or null.
See %Net.JSON.JWA for the list of supported algorithms.

Inherited Members

Inherited Methods

FeedbackOpens in a new tab