Skip to main content

OAuth2.AccessToken

Class OAuth2.AccessToken Extends %Persistent [ System = 4 ]

OAuth2.AccessToken stores an OAuth 2.0 access token and its related information.
OAuth2.AccessToken is indexed by the combination of SessionId and ApplicationName. Therefore, only one scope may be requested for each SessionId/ApplicationName. If a second request is made with a different scope and access token has yet been granted, the scope in the new request becomes the expected scope.

Parameters

LogoutInterval

Parameter LogoutInterval As INTEGER [ Internal ] = 15;

LogoutInterval specifies the timeout interval (in seconds) used during RP-initiated front-channel logout. If the user agent has not returned to the post logout redirect url before this time the OAuth2.AccessToken record is considered abandoned, and may be automatically deleted.

Properties

SessionId

Property SessionId As %String(COLLATION = "EXACT") [ Required ];

An access token is linked to the combination of a session and client application The access token is indexed by hash of its value The IDToken is indexed by hash of its value The access token is indexed by the State during Authorization Server requests The access token is indexed by the State during Authorization Server requests This access token is linked to the session whose id is here.

ApplicationName

Property ApplicationName As %String(COLLATION = "EXACT", MAXLEN = 128, MINLEN = 1) [ Required ];

This access token is linked to this client application.

State

Property State As %String(COLLATION = "EXACT", MAXLEN = 1024);

The base64 encoded random state associated with request to Authorization Server.

Stage

Property Stage As %String(VALUELIST = ",new,loggedin") [ Internal ];

Stage reflects the stage of the token usage process and is used for keeping track of usage attempts. Possible values of Stage: "new", "loggedin".
"new": Access token was just initiated. System is waiting for csp url.
"loggedin": system is logged in.

AccessToken

Property AccessToken As %String(COLLATION = "EXACT", MAXLEN = "");

The access token

Hash

Property Hash As %String(COLLATION = "EXACT", MAXLEN = 64);

SHA512 hash of the AccessToken to be used for indexing

IDToken

Property IDToken As %String(COLLATION = "EXACT", MAXLEN = "");

The IDToken

IDHash

Property IDHash As %String(COLLATION = "EXACT", MAXLEN = 64);

SHA512 hash of the IDToken to be used for indexing

TokenType

Property TokenType As %String;

The token type that is returned from the authorization server.

Expires

Property Expires As %Integer;

The time when the token expires in seconds since December 31st, 1840 (i.e. since beginning of $h)

Scope

Property Scope As %String(MAXLEN = "");

Blank separated list of scope names which this token supports

RefreshToken

Property RefreshToken As %String(MAXLEN = "");

The refresh token that is returned by the authorization server or "".

RedirectURL

Property RedirectURL As %String(MAXLEN = 1024) [ Internal ];

The URL of the CSP page which will be invoked after the access token is obtained. By default, this is the page that began the token request workflow.

GrantType

Property GrantType As %String(VALUELIST = ",A,I,P,C,J");

GrantType is the grant type that was used to create this access token: - "A" - Authorization Code - "I" - Implicit - "P" - Resource Owner Password Credentials - "C" - Client Credentials - "J" - JWT Authorization

Nonce

Property Nonce As %String(MAXLEN = 1024);

Nonce for OpenID Connect request. This nonce must be included in the IDToken.

ResponseType

Property ResponseType As %String;

The response_type of the access token request

ResponseMode

Property ResponseMode As %String;

The response_mode of the access token request: query or fragment

ResponseProperties

Property ResponseProperties As array Of %String(MAXLEN = "");

ResponseProperties contains the response properties from the access token request where the key is the property name and the value is the property value.

Error

Property Error As %OAuth2.Error;

Error object for error during authorization

TemporarySession

Property TemporarySession As %Boolean [ Deprecated, InitialExpression = 0 ];

If TemporarySession is true, then this access token object was created for a temproary session by %OAuth2.Login. This object should not be deleted by the end session event handler.

CodeVerifier

Property CodeVerifier As %String(MAXLEN = "");

Code verifier sent with authorization requests when using the authorization_code grant type. This is in accordance with PKCE (RFC7636).

HasNonStandardImplicitIdToken

Property HasNonStandardImplicitIdToken As %Boolean [ InitialExpression = 0, Internal ];

If HasNonStandardImplicitIdToken is true, then this access token object contains an id token that was not accompanied by the openid scope in the server response (and this object's scope has been modified to include "openid" as a reflection of this). This behavior is governed by the AcceptNonStandardImplicitIdToken property in OAuth2.Client and should not be set by the user

LogoutRedirectURL

Property LogoutRedirectURL As %String(MAXLEN = 1024) [ Internal ];

LogoutRedirectURL is stored during RP-initiated front-channel logout. This value indicates the URL to navigate to after a successful logout.

LogoutState

Property LogoutState As %String(COLLATION = "EXACT", MAXLEN = 1024);

The base64 encoded random state associated with a logout request to the Authorization Server.

InLogout

Property InLogout As %Boolean [ InitialExpression = 0, Internal ];

The InLogout flag is set to true during RP-iniated front-channel logout. If true, we should not delete this record until the logout sequence is completed. This is needed so we can keep the value in LogoutRedirectURL.

LoginRedirectURL

Property LoginRedirectURL As %String(MAXLEN = "") [ Internal ];

LoginRedirectURL stores the redirectURL to the authorization server

Methods

AccessTokenSet

Method AccessTokenSet(accessToken As %String) As %Status [ Internal ]

IDTokenSet

Method IDTokenSet(IDToken As %String) As %Status [ Internal ]

SetError

Method SetError(error As %OAuth2.Error)

Set the error.

ClearError

Method ClearError()

Clear the error.

IsError

Method IsError() As %Boolean

Return if an error been set.

IsExpired

Method IsExpired() As %Boolean

Check if this token is expired

IsOpenID

Method IsOpenID() As %Boolean [ CodeMode = expression ]

Is this an OpenID authorization request? Find out by looking for openid scope.

OpenForSession

ClassMethod OpenForSession(applicationName As %String, sessionId As %String, Output sc As %Status) As OAuth2.AccessToken

Open an OAuth2.AccessToken instance based on the session and client application that it is linked to.

Open

ClassMethod Open(accessToken As %String, Output sc As %Status) As OAuth2.AccessToken

Open an OAuth2.AccessToken instance based on the AccessToken property

OpenByIDToken

ClassMethod OpenByIDToken(IDToken As %String, Output sc As %Status) As OAuth2.AccessToken

Open an OAuth2.AccessToken instance based on the IDToken property

Remove

Method Remove() As %Status

Remove this token from the client. If this token is currently processing a RP-initiated front-channel logout request (That is, if InLogout is true,) then the token(s) will be removed, but the AccessToken record will not be deleted until the logout is completed or times out.

Cleanup

ClassMethod Cleanup() [ Internal ]

Clean up all expired tokens

%OnBeforeSave

Method %OnBeforeSave(insert As %Boolean) As %Status [ Internal, Private ]

This callback method is invoked by the %Save method to provide notification that the object is being saved. It is called before any data is written to disk.

insert will be set to 1 if this object is being saved for the first time.

If this method returns an error then the call to %Save will fail.

%OnDelete

ClassMethod %OnDelete(oid As %ObjectIdentity) As %Status [ Internal ]

This callback method is invoked by the %Delete method to provide notification that the object specified by oid is being deleted.

If this method returns an error then the object will not be deleted. [Previously private]