Skip to main content

OAuth2.Server.AccessToken

Class OAuth2.Server.AccessToken Extends %Persistent [ System = 4 ]

Access tokens are managed by the persistent class OAuth2.Server.AccessToken. OAuth2.Server.AccessToken stores the access token and related properties. This class is also the means of communication between the various parts of the authorization server. This class is used internally by InterSystems IRIS. You should not make direct use of it within your applications. There is no guarantee made about either the behavior or future operation of this class.

Properties

AuthorizationCode

Property AuthorizationCode As %String(COLLATION = "EXACT", MAXLEN = 128) [ Required ];

The IDKEY for the access token class. The access token is indexed by it value The access token is indexed by the RefreshToken property The access token is indexed by the IDToken property Order by time AuthorizationCode is a random number which serves as the IDKey for this class and as the Authorization Code when required by the Authorization Code grant type. We use AuthorizationCode as the IDKey because it comes into existence first in the process of creating an access token

AccessToken

Property AccessToken As %String(COLLATION = "EXACT", MAXLEN = "");

AccessToken is the access token as a string. The default access token is a random string. However, the access token is easily customized to have any structure required by the using application - for example a signed JWT.

Hash

Property Hash As %String(COLLATION = "EXACT", MAXLEN = 64);

SHA512 hash of the AccessToken to be used for indexing

AccessTokenExpires

Property AccessTokenExpires As %Integer;

AccessTokenExpires is the time in seconds from beginning of the Unix epoch when the access expires.

RefreshToken

Property RefreshToken As %String(COLLATION = "EXACT", MAXLEN = "");

RefreshToken is the refresh token as a random string that is used to refresh the access token.

RefreshTokenExpires

Property RefreshTokenExpires As %Integer;

RefreshTokenExpires is the time in seconds from beginning of the Unix epoch when the refresh expires, or "" means does not expire.

IDToken

Property IDToken As %String(MAXLEN = "");

IDToken is the IDToken which is returned forf OpenID Connect requests

IDHash

Property IDHash As %String(COLLATION = "EXACT", MAXLEN = 64);

SHA512 hash of the IDToken to be used for indexing

ClientId

Property ClientId As %String(MAXLEN = 1024);

ClientId is the client id for the client for which this token was issued.

Scope

Property Scope As %String(MAXLEN = "");

Scope is a blank separated list of scopes that were used to issue this token.

ScopeArray

Property ScopeArray As array Of %String(MAXLEN = "");

An array of scopes and associated descriptions. This matches the scopes in the Scope property.

Properties

Property Properties As %OAuth2.Server.Properties;

Properties is a %OAuth2.Server.Properties object that holds the various kinds of properties and claims that are used by the auhtorization server. The various classes which are involved in the authorization and authentication code flow use the properties argument (which is this token property) to communicate amongst themselves and with the authorization server.
See the definition of the %OAuth2.Server.Properties class for details about the propertyies and claims.

AuthorizationCodeExpires

Property AuthorizationCodeExpires As %Integer;

AuthorizationCodeExpires is the time in seconds from the bginning of the Unix epoch when the Authorization code passed to the client expires for the Authorization Code grant type.

GrantType

Property GrantType As %String(VALUELIST = ",A,I,P,C,J");

GrantType is the grant type that was used to create this access token: - "A" - Authorization Code - "I" - Implicit - "P" - Resource Owner Password Credentials - "C" - Client Credentials - "J" - JWT Authorization

Stage

Property Stage As %String;

Stage reflects the stage of the authentication process and is used for error checking. Possible values of Stage: "new", "delegated:", "login:", "2fa:", "permission", "".
"" means process completed or not started.
is the integer count of which login attempt is taking place.

State

Property State As %String(MAXLEN = "");

State to be returned to requester in redirected response

Aud

Property Aud As list Of %String(MAXLEN = "");

aud property from request which will be checked when validating token.

Username

Property Username As %Library.Username;

Username is the username specified and validated by during authentication. $char(0) means that authentication failed.

Issuer

Property Issuer As %String(MAXLEN = 1024);

The issuer of this access token.

RedirectURL

Property RedirectURL As %String(MAXLEN = "");

The redirect used for the current token authorization

AuthTime

Property AuthTime As %Integer;

The time when the user was authenticated.

IssuedAt

Property IssuedAt As %Integer;

The time at which the active access token was issued. This may be different from AuthTime if the token was issued from a refresh token, or if it was automatically issued due to a pre-existing session.

ResponseType

Property ResponseType As %String;

The response_type of the access token request

ResponseMode

Property ResponseMode As %String;

The response_mode of the access token request: query or fragment

GroupId

Property GroupId As %String(MAXLEN = "");

The ID of the group that this access token object belongs to.

CodeChallenge

Property CodeChallenge As %String(MAXLEN = "");

Code challenge used by public clients for PCKE.

CodeChallengeMethod

Property CodeChallengeMethod As %String(VALUELIST = ",plain,S256") [ InitialExpression = "plain" ];

Code challenge method used by public clients for PCKE.

Methods

AccessTokenSet

Method AccessTokenSet(accessToken As %String) As %Status [ Internal ]

IDTokenSet

Method IDTokenSet(IDToken As %String) As %Status [ Internal ]

%OnNew

Method %OnNew() As %Status [ Internal, Private ]

Get a new OAuth2.Server.AccessToken instance with a newly generated AuthorizationCode as IDKey.

RevokeUser

ClassMethod RevokeUser(username As %String, Output count As %Integer) As %Status

RevokeUser will delete all access tokens that are associated with the specified user. The count argument will be returned as the number of access tokens that were deleted.

RevokeByGroupId

ClassMethod RevokeByGroupId(groupId As %String, Output count As %Integer) As %Status

RevokeByGroupId will delete all access tokens that are associated with the specified group ID. The count argument will be returned as the number of access tokens that were deleted.

RevokeByClientId

ClassMethod RevokeByClientId(clientId As %String, Output count As %Integer) As %Status

RevokeByClientId will delete all access tokens that are associated with the specified client ID. The count argument will be returned as the number of access tokens that were deleted.

RevokeByProperty

ClassMethod RevokeByProperty(propertyName As %String, propertyValue As %String, Output count As %Integer) As %Status [ Internal, Private ]

RevokeByProperty is an internal method which will delete all access tokens that satisfy the condition on the access token record: propertyName = propertyValue. The count argument will be returned as the number of access tokens that were deleted.

IsOpenID

Method IsOpenID() As %Boolean [ CodeMode = expression, Internal ]

Is this an OpenID authorization request? Find out by looking for openid scope.

SetAud

Method SetAud(aud As %String, client As OAuth2.Server.Client) [ Internal ]

Set the Aud property based on the request parameter aud value

SetAuthTime

Method SetAuthTime(time As %Integer) [ Internal ]

Set the time when authenticated.

OpenByCode

ClassMethod OpenByCode(authorizationCode As %String, Output sc As %Status) As OAuth2.Server.AccessToken

Open the OAuth2.Server.AccessToken instance using AuthorizationCode.

OpenByToken

ClassMethod OpenByToken(accessToken As %String, Output sc As %Status) As OAuth2.Server.AccessToken

Open the OAuth2.Server.AccessToken instance using AccessToken.

OpenByIDToken

ClassMethod OpenByIDToken(IDToken As %String, Output sc As %Status) As OAuth2.Server.AccessToken

Open the OAuth2.Server.AccessToken instance using IDToken.

OpenByRefresh

ClassMethod OpenByRefresh(refreshToken As %String, Output sc As %Status) As OAuth2.Server.AccessToken

Open the OAuth2.Server.AccessToken instance using RefreshToken

Cleanup

ClassMethod Cleanup() [ Internal, Private ]

Clean up all expired tokens

Save

Method Save() As %Status

Save this OAuth2.Server.AccessToken instance.

Delete

Method Delete() As %Status

Delete this access token

%OnBeforeSave

Method %OnBeforeSave(insert As %Boolean) As %Status [ Internal, Private ]

This callback method is invoked by the %Save method to provide notification that the object is being saved. It is called before any data is written to disk.

insert will be set to 1 if this object is being saved for the first time.

If this method returns an error then the call to %Save will fail.

%OnDelete

ClassMethod %OnDelete(oid As %ObjectIdentity) As %Status [ Internal ]

This callback method is invoked by the %Delete method to provide notification that the object specified by oid is being deleted.

If this method returns an error then the object will not be deleted. [Previously private]