Skip to main content

OAuth2.Client

Class OAuth2.Client Extends %Persistent [ System = 4 ]

The OAuth2.Client class describes an OAuth2 client and references the Authorization server that it uses to authorize the application based on RFC 6749. A client system may be used with multiple authorization servers for different applications.

Properties

ApplicationName

Property ApplicationName As %String(MAXLEN = 128, MINLEN = 1) [ Required ];

The IDKEY for the application class. The ApplicationName identifies this application (client + authorization server) configuration.
Chosen by user during configuration.

Enabled

Property Enabled As %Boolean [ InitialExpression = 1, Required ];

True if client application is enabled.
Chosen by user during configuration.

Description

Property Description As %String(MAXLEN = 256);

Description of the application.
Chosen by user during configuration.

ClientType

Property ClientType As %String(VALUELIST = ",public,confidential,resource") [ Required ];

The type of client configuration:
public - a public client. See RFC 6749 confidential - a confidential client. See RFC 6749 resource - a resource server which is not also a client.
Chosen by user during configuration. Will usually be confidential client for an InterSystems IRIS application.

SSLConfiguration

Property SSLConfiguration As %String(MAXLEN = 64, MINLEN = 1) [ Required ];

The name of the activated TLS/SSL configuration to use for authorization server requests.
Chosen by user during configuration.

RedirectionEndpoint

Property RedirectionEndpoint As OAuth2.Endpoint;

The endpoint object for the URL to be used by the authorization server to return the response to an authorization request.
Required if ClientType is public or confidential, Chosen by user during configuration.

DefaultScope

Property DefaultScope As %String(MAXLEN = "");

The default scope, as a blank separated list, for access token requests.
Chosen by user during configuration.

JWTInterval

Property JWTInterval As %Integer [ InitialExpression = 60 ];

JWTInterval is the interval in seconds after which a JWT expires which is used for client_secret_jwt or private_key_jwt authentication types. The default is 1 minute. There should be no need to change the default since this JWT may only be used once.

JWTAudience

Property JWTAudience As %String(MAXLEN = 256);

Defines the value to use for the "aud" claim in tokens generated for private_key_jwt and client_secret_jwt authentication methods, as well as for the JWT Authorization grant type. For new configurations this will be the authorization server's token endpoint by default. For backwards compatibility, if this is undefined the client will use the issuer endpoint.

ClientId

Property ClientId As %String(MAXLEN = "");

The client id that is supplied during client registration.
Required for all ClientTypes.

ClientSecret

Property ClientSecret As %String(MAXLEN = "");

The client secret that is supplied during client registration.
Required if ClientType is confidential or resource server.

ClientCredentials

Property ClientCredentials As %String;

ClientCredentials is the alias of the %SYS.X509Credentials object which contains the client's certificate and private key.

ClientPassword

Property ClientPassword As %String(MAXLEN = 128);

ClientPassword is the password for the private key in ClientCredentials if the password is not in the %SYS.X5009Credentials object

PrivateJWKS

Property PrivateJWKS As %String(MAXLEN = "") [ Internal ];

PrivateJWKS is the JWKS which contains the private asymmetric keys for this client. If ClientCredentials is specified, then PrivateJWKS is created using the public/private key pair specified by these credentials. Otherwise, we generate the private/public keys pairs.
This property should never be set directly for configuration.

PublicJWKS

Property PublicJWKS As %String(MAXLEN = "") [ Internal ];

PublicJWKS is the JWKS which contains the public asymmetric keys for this client which are to be made available via the jwks_uri metadata property. If ClientCredentials is specified, then PublicJWKS is created along with PrivateJWKS using the public/private key pair specified by these credentials. Otherwise, we generate the private/public keys pairs.
This property should never be set directly for configuration.

JWKSFromCredentials

Property JWKSFromCredentials As %Boolean [ InitialExpression = 0, Internal ];

JWKSFromCredentials is true if the JWKSs were created from ClientCredentials<>br> This property should never be set directly for configuration.

RemotePublicJWKS

Property RemotePublicJWKS As %String(MAXLEN = "") [ Deprecated, Internal ];

This property is deprecated. The public keys are stored in PublicJWKS property of OAuth2.ServerDefinition and the symmetric keys are stored in SymmetricJWKS.

RemotePublicJWKSExpires

Property RemotePublicJWKSExpires As %Integer [ Deprecated, Internal ];

This property is deprecated. The public keys and their expiration are managed by OAuth2.ServerDefininition.

SymmetricJWKS

Property SymmetricJWKS As %String(MAXLEN = "") [ Internal ];

SymmetricJWKS stores the symmetric keys used by this OAuth2 client configuration. These keys are typically derived from the client secret.

AuthenticationType

Property AuthenticationType As %String(VALUELIST = ",none,basic,body,client_secret_jwt,private_key_jwt") [ Deprecated, InitialExpression = "basic" ];

**** Replaced by OAuth2.Client.Metadata properties when dynamic client support introduced
The type of authentication (as specified in RFC 6749 or OpenID Connect Core section 9) to be used for HTTP requests to the authorization server.

SigningAlgorithm

Property SigningAlgorithm As %String(VALUELIST = ",RS256,RS384,RS512") [ Deprecated ];

**** Replaced by OAuth2.Client.Metadata properties when dynamic client support introduced

EncryptionAlgorithm

Property EncryptionAlgorithm As %String(VALUELIST = ",A128CBC-HS256,A192CBC-HS384,A256CBC-HS512") [ Deprecated ];

**** Replaced by OAuth2.Client.Metadata properties when dynamic client support introduced

KeyAlgorithm

Property KeyAlgorithm As %String(VALUELIST = ",RSA1_5,RSA-OAEP") [ Deprecated ];

**** Replaced by OAuth2.Client.Metadata properties when dynamic client support introduced

Metadata

Property Metadata As OAuth2.Client.Metadata;

The meta data which describes this client.

AcceptNonStandardImplicitIdToken

Property AcceptNonStandardImplicitIdToken As %Boolean [ InitialExpression = 0 ];

If AcceptNonStandardImplicitIdToken is true, then this client will accept requested id tokens even when the server response they are sent in does not contain the openid scope.

ServerDefinition

Relationship ServerDefinition As OAuth2.ServerDefinition [ Cardinality = one, Inverse = Clients ];

ServerDefinition is the reference to the OAuth2.ServerDefinition object which describes the authorization server to be used for this client.

Methods

JWTIntervalGet

Method JWTIntervalGet() As %Integer [ Internal ]

Use a getter method to force default value for existing client configurations.

JWTAudienceGet

Method JWTAudienceGet() As %String

AuthenticationTypeSet

Method AuthenticationTypeSet(authenticationType As %String) As %Status [ Internal ]

Store value in metadata for compatibility

AuthenticationTypeGet

Method AuthenticationTypeGet() As %String [ Internal ]

Get value from metadata for compatibility

SigningAlgorithmSet

Method SigningAlgorithmSet(signingAlgorithm As %String) As %Status [ Internal ]

Store value in metadata for compatibility

SigningAlgorithmGet

Method SigningAlgorithmGet() As %String [ Internal ]

No value for kinds of JWTs

EncryptionAlgorithmSet

Method EncryptionAlgorithmSet(encryptionAlgorithm As %String) As %Status [ Internal ]

Store value in metadata for compatibility

EncryptionAlgorithmGet

Method EncryptionAlgorithmGet() As %String [ Internal ]

No value for kinds of JWTs

KeyAlgorithmSet

Method KeyAlgorithmSet(keyAlgorithm As %String) As %Status [ Internal ]

Store value in metadata for compatibility

KeyAlgorithmGet

Method KeyAlgorithmGet() As %String [ Internal ]

No value for kinds of JWTs

%OnNew

Method %OnNew() As %Status [ Internal, Private ]

Get a new OAuth2.Client instance.

Open

ClassMethod Open(applicationName As %String, Output sc As %Status) As OAuth2.Client

Open an OAuth2.Client instance based on the applicationName ID property

Upgrade

Method Upgrade() As %Status [ Internal ]

Upgrade OAuth2.Client instance when dynamic client support introduced

UpdateMetadata

Method UpdateMetadata() As %Status [ Internal ]

Update the client metadata. This method is called before creating the JSON string needed for dynamic client registration to update the metadata properties which can be changed after compile time.

GetReturnedMetadata

Method GetReturnedMetadata() [ Internal ]

Update the client configuration based on the metadata response returned during dynamic registration.

RegisterClient

Method RegisterClient() As %Status [ Internal ]

Register this client using OpenID Connect Dynamic Client Registration. If successful, this client instance will be updated based on the registration.

ReadClient

Method ReadClient() As %Status [ Internal ]

Read the client metadata for this client using OpenID Connect Dynamic Client Registration. If successful, this client instance will be updated based on the registration.

UpdateClient

Method UpdateClient() As %Status [ Internal ]

Read the client metadata for this client using OpenID Connect Dynamic Client Registration. If successful, this client instance will be updated based on the registration.

DeleteClientRegistration

Method DeleteClientRegistration() As %Status [ Internal ]

Delete the client metadata stored on the server using Dynamic Client Registration. The metadata for the client registration is removed, but the client itself is not deleted.

GetMetadataFromRequest

Method GetMetadataFromRequest(httpRequest As %Net.HttpRequest, jsonObject As %DynamicAbstractObject, updateClient) As %Status [ Private ]

RotateKeys

Method RotateKeys() As %Status

Rotate the client's public/private key pairs by adding a new key pair to the JWKS and saving the JWKS. At this time, all private keys are kept. In the future only a limited set of private keys will be kept.

RefreshJWKS

Method RefreshJWKS(force As %Boolean = 0, save As %Boolean = 1, Output sc As %Status) As %Boolean

If the server's public JWKS was specified using the jwks_uri metadata parameter, this method will fetch the jwks if it has expired.

Parameters:

  • force - refresh the jwks even if the cached version is still valid (default is 0)
  • save - save the client definition (default is 1)
  • sc (output) - Status code structure containing any errors Returns:
  • 1 - if the jwks was updated
  • 0 - if the cached version was still valid

%OnValidateObject

Method %OnValidateObject() As %Status [ Internal, Private ]

%OnAddToSaveSet

Method %OnAddToSaveSet(depth As %Integer = 3, insert As %Integer = 0, callcount As %Integer = 0) As %Status [ Internal, Private, ServerOnly = 1 ]

This callback method is invoked when the current object is added to the SaveSet, either because %Save() was invoked on this object or on an object that references this object. %OnAddToSaveSet can modify the current object. It can also add other objects to the current SaveSet by invoking %AddToSaveSet or remove objects by calling %RemoveFromSaveSet.

If this method returns an error status then %Save() will fail and the transaction will be rolled back.

%OnBeforeSave

Method %OnBeforeSave(insert As %Boolean) As %Status [ Internal, Private ]

This callback method is invoked by the %Save method to provide notification that the object is being saved. It is called before any data is written to disk.

insert will be set to 1 if this object is being saved for the first time.

If this method returns an error then the call to %Save will fail.

DeleteId

ClassMethod DeleteId(id As %String) As %Status

Delete this client configuration.

%OnDelete

ClassMethod %OnDelete(oid As %ObjectIdentity) As %Status [ Internal ]

This callback method is invoked by the %Delete method to provide notification that the object specified by oid is being deleted.

If this method returns an error then the object will not be deleted. [Previously private]