%SYS
Static Public Member Functions | List of all members
Validation Class Reference

The SYS.OAuth2.Validation class defines the methods used to validate an access token or ID token. More...

Inheritance diagram for Validation:
Inheritance graph
[legend]
Collaboration diagram for Validation:
Collaboration graph
[legend]

Static Public Member Functions

_.Library.Boolean ValidateIDToken (_.Library.String applicationName, _.Library.String IDToken, _.Library.String accessToken, _.Library.String scope, _.Library.String aud, _.Library.RegisteredObject jsonObject, _.Library.String securityParameters, _.Library.Status sc)
 ValidateIDToken validates the signed OpenID Connect ID token and creates an object to reflect the JWT properties. More...
 
_.Library.Boolean ValidateJWT (_.Library.String applicationName, _.Library.String accessToken, _.Library.String scope, _.Library.String aud, _.Library.DynamicObject jsonObject, _.Library.String securityParameters, _.Library.Status sc, _.Library.DynamicObject headerObject)
 ValidateJWT validates the given JWT token and creates an object to reflect the JWT properties. More...
 

Detailed Description

The SYS.OAuth2.Validation class defines the methods used to validate an access token or ID token.

Member Function Documentation

◆ ValidateIDToken()

_.Library.Boolean ValidateIDToken ( _.Library.String  applicationName,
_.Library.String  IDToken,
_.Library.String  accessToken,
_.Library.String  scope,
_.Library.String  aud,
_.Library.RegisteredObject  jsonObject,
_.Library.String  securityParameters,
_.Library.Status  sc 
)
static

ValidateIDToken validates the signed OpenID Connect ID token and creates an object to reflect the JWT properties.


ValidateIDToken also validates the access token based on the at_hash property of the IDToken.

  • applicationName - the name of the client or resource server configuration which contains authorization server access data, such as authorization server ServerCredentials.
  • scope - a blank separated list of scope values. If scope is specified, the JWT must contain a scope claim which is a superset of the this parameter.
  • aud - the audience which is using the token. If the token has an associated aud property (usually because the audience was specified when requesting the token), then aud is matched to the token audience. If aud is not specified, then no audience checking takes place.
  • jsonObject - a JSON Object containing the claims in the JWT.
  • securityParameters - an array of strings indicating the signature and/or encryption operations to be performed on the ID Token.

    For JSON Web Signature (JWS):
    • securityParameters("sigalg") - Signature or MAC algorithm.

    For JSON Web Encryption (JWE):
    • securityParameters("keyalg") - Key management algorithm.
    • securityParameters("encalg") - Content encryption algorithm.

    Note, securityParameters("keyalg") and securityParameters("encalg") must both be specified or null.
    See <Class>Net.JSON.JWA</Class> for the list of supported algorithms.

◆ ValidateJWT()

_.Library.Boolean ValidateJWT ( _.Library.String  applicationName,
_.Library.String  accessToken,
_.Library.String  scope,
_.Library.String  aud,
_.Library.DynamicObject  jsonObject,
_.Library.String  securityParameters,
_.Library.Status  sc,
_.Library.DynamicObject  headerObject 
)
static

ValidateJWT validates the given JWT token and creates an object to reflect the JWT properties.


This method will accept both signed and unsigned tokens. Applications that require tokens to be signed should inspect securityParameters("sigalg"). If this value is undefined, then the given token was not signed.

  • applicationName - the name of the client or resource server configuration which contains authorization server access data, such as authorization server ServerCredentials.
  • scope - a blank separated list of scope values. If scope is specified, the JWT must contain a scope claim which is a superset of the this parameter.
  • aud - the audience which is using the token. If the token has an associated aud property (usually because the audience was specified when requesting the token), then aud is matched to the token audience. If aud is not specified, then no audience checking takes place.
  • jsonObject - a JSON Object containing the claims in the JWT.
  • securityParameters - an array of strings indicating the signature and/or encryption operations to be performed on the JWT.

    For JSON Web Signature (JWS):
    • securityParameters("sigalg") - Signature or MAC algorithm. This will only be set if the JWT is signed.

    For JSON Web Encryption (JWE):
    • securityParameters("keyalg") - Key management algorithm.
    • securityParameters("encalg") - Content encryption algorithm.

    Note, securityParameters("keyalg") and securityParameters("encalg") must both be specified or null.
    See <Class>Net.JSON.JWA</Class> for the list of supported algorithms.
  • headerObject - a JSON Object containing the JWT Header fields.