|
%SYS
|
|
|
%SYS
|
|
The SYS.OAuth2.AccessToken class defines the client operations which allow an access token to be used to authorize to a resource server. More...
Static Public Member Functions | |
| _.Library.Status | AddAccessToken (_.Net.HttpRequest httpRequest, _.Library.String type, _.Library.String sslConfiguration, _.Library.String applicationName, _.Library.String sessionId) |
| AddAccessToken adds the bearer access token associated with applicationName and sessionId. More... | |
| _.Library.Status | AddAuthentication (_.Library.String applicationName, _.Net.HttpRequest httpRequest) |
| AddAuthication adds the required authentication for the token request. More... | |
| _.Library.Status | AuthorizeWithAccessToken (_.Net.HttpRequest httpRequest, _.Library.String type, _.Library.String sslConfiguration, _.Library.String applicationName, _.Library.String accessToken) |
| AuthorizeWithAccessToken adds the bearer access token which is passed as an argument to this method. More... | |
| _.Library.String | GetAccessTokenFromRequest (_.Library.Status sc) |
| GetAccessTokenFromRequest returns the access token which is found in the HTTP request. More... | |
| _.Library.Status | GetIntrospection (_.Library.String applicationName, _.Library.String accessToken, _.Library.RegisteredObject jsonObject) |
| Retrieves the JSON object which contains claims about accessToken. More... | |
| _.Library.Status | GetUserinfo (_.Library.String applicationName, _.Library.String accessToken, _.Library.RegisteredObject IDTokenObject, _.Library.RegisteredObject jsonObject, _.Library.String securityParameters) |
| Retrieve the JSON object that is returned from the userinfo endpoint for the specified access token. More... | |
| _.Library.Boolean | IsAudContained (_.Library.DynamicArray containingAud, _.Library.String aud) |
| Check that specified audience is contained in the containing audience list. More... | |
| _.Library.Boolean | IsAuthorized (_.Library.String applicationName, _.Library.String sessionId, _.Library.String scope, _.Library.String accessToken, _.Library.String IDToken, responseProperties, _.OAuth2.Error error) |
| IsAuthorized returns true if the applicationName and sessionId combination has an access token which. More... | |
| _.Library.Boolean | IsScopeContained (_.Library.String containingScope, _.Library.String scope) |
| Check that scope is subset of valid scopes for this token. | |
| _.Library.Status | RemoveAccessToken (_.Library.String applicationName, _.Library.String sessionId) |
| Remove the token associated with the specified application and session from the client. | |
| _.Library.Status | RemoveAuthorizationAccessToken (_.Net.HttpRequest httpRequest, _.Library.String type) |
| RemoveAuthorizationAccessToken removes the access token from the Net.HttpRequest object. | |
| _.Library.Status | RevokeToken (_.Library.String applicationName, _.Library.String accessToken) |
| RevokeToken invalidates the access token using the revocation endpoint. More... | |
The SYS.OAuth2.AccessToken class defines the client operations which allow an access token to be used to authorize to a resource server.
The underlying token is stored in OAuth2.AccessToken in the system database. OAuth2.AccessToken is indexed by the combination of SessionId and ApplicationName. Therefore, only one scope may be requested for each SessionId/ApplicationName. If a second request is made with a different scope and access token has yet been granted, the scope in the new request becomes the expected scope.
Note that this class is in library and thus available everywhere. However, token storage is in the system database and thus not directly available to most code.
|
static |
AddAccessToken adds the bearer access token associated with applicationName and sessionId.
to the resource server request as defined by RFC 6750. The sslConfiguration that is specified for the client is added to the httpRequest object. This method is used to prepare requests from the Client to the Resource Server. The type argument specifies one of three ways defined by RFC 6750 to send the access token to the Resource Server:
"header" to use Bearer token HTTP header.
"body" to use form encoded body. In this case, request must be a POST with form encoded body.
"query" to use a query parameter.
The sslConfiguration is the name of the Security.SSLConfigs object to use for this request. The default for sslConfiguration comes from the OAuth2.Client instance.
|
static |
AddAuthication adds the required authentication for the token request.
and the SSLConfiguration that is specified for the client. See "token_endpoint_auth_method" property of OAuth2.Client.Metadata. This method is used for sending HTTP requests to the Authorization Server.
|
static |
AuthorizeWithAccessToken adds the bearer access token which is passed as an argument to this method.
to the resource server request as defined by RFC 6750. The sslConfiguration that is specified for the client is added to the httpRequest object. This method is used to prepare requests from the Client to the Resource Server. The type argument specifies one of three ways defined by RFC 6750 to send the access token to the Resource Server:
"header" to use Bearer token HTTP header.
"body" to use form encoded body. In this case, request must be a POST with form encoded body.
"query" to use a query parameter.
The sslConfiguration is the name of the Security.SSLConfigs object to use for this request. The default for sslConfiguration comes from the OAuth2.Client instance.
|
static |
GetAccessTokenFromRequest returns the access token which is found in the HTTP request.
using one of the three RFC 6750 formats (See AddAccessToken above). The access token should be validated using a Validate method or a user written Validate method. This method is used by the Resource Server to authorize requests from the Client.
|
static |
Retrieves the JSON object which contains claims about accessToken.
that is returned from the introspection endpoint. The request is authorized using the basic authorization HTTP header with the client_id and client_secret associated with applicationName.
The claims returned by the introspection endpoint are returned as the properties of jsonObject.
|
static |
Retrieve the JSON object that is returned from the userinfo endpoint for the specified access token.
The request is authorized using the specified access token. If the userinfo endpoint returns a JWT, then the object is optionally decrypted and the signature checked.
If IDTokenObject is passed as the object returned by ##class(SYS.OAuth2.Validation).ValidateIDToken and is used to check the sub property.
The claims returned by the userinfo endpoint are returned as the properties of jsonObject.
securityParameters is returned as a local array of Strings that that indicate the algorithms that were used for JSON Object Signature and/or Encryption operations that were performed on the JWT by the authorization server
For JSON Web Signature (JWS):
securityParameters("sigalg") - Signature or MAC algorithm
For JSON Web Encryption (JWE):
securityParameters("keyalg") - Key management algorithm
securityParameters("encalg") - Content encryption algorithm
See OAuth2.JWT for the list of supported algorithms.
|
static |
Check that specified audience is contained in the containing audience list.
containingAud may either be a single audience as String or a list of audiences as DynamicArray.
|
static |
IsAuthorized returns true if the applicationName and sessionId combination has an access token which.
authorizes all the scopes that are specified by the scope argument.
applicationName is the name of the application that is being authorized.
sessionId is the session id. sessionId defaults to session.SessionId and will usually not be specified.
scope is a blank separated list of scopes.
responseProperties will be returned as a local array specifying the properties that were included in the token response in the form properties(name)=value.
The access token is returned in the accessToken argument.
|
static |
RevokeToken invalidates the access token using the revocation endpoint.
This method will be called automatically when the session holding the token is deleted. This method may also be called from user code to make the token no longer valid. RevokeToken will call SYS.OAuth2.AccessToken.Remove to remove the token from the client.
The request is authorized using the basic authorization HTTP header with the client_id and client_secret associated with applicationName.
1.9.1