Access token storage

Question

Question

Soufiane Amroun · Jan 15, 2018

#Security #OAuth2 #Caché

Hi community ,

i work actually on the access token generation method , i want know where the generated access token are saved ?

My [OAuth2.AccessToken] tabe is empty , it's logical?

thank's for helping .

Best regards

Discussion (5)0

Log in or sign up to continue

Marvin Tener · Jan 18, 2018

If you are generating access tokens, then you are probably on the server where the access tokens are stored in OAuth2.Server.AccessToken. OAuth2.AccessToken is where the access tokens are stored on the client.

Both of these tables must be accessed from the %SYS namespace and privileges to access CACHESYS database are required.

0 0

score 0 · Answer 1 · 2018-02-08T05:45:02-05:00

Hello Martin,

Thank you for your response. I'm working with Sofiane on OAuth2 implementation.

Actually we manage to generate tokens on the authorization server level. we found our tokens stored in OAuth2.Server.AccessToken.

Then when we try to autorize a client to use a resource from the resource server . we use the ##class(%SYS.OAuth2.AccessToken).IsAuthorized method . But it always return a 0 value even when we use an access token which existing in OAuth2.Server.AccessToken table

I checked the OAuth2.AccessToken but i found it empty.

Any clue about this issue ?

Thank you in advance

score 0 · Answer 2 · 2018-02-08T15:40:50-05:00

Consider the flow of the access token:

1. Client requests the access token.

2. authorization server authenticates user and issues token

3. client receives token -- IsAuthorized will now return 1 in the same CSP session

4. client uses access token in Authorization header to authorize to resource server.

5. The resource server knows nothing about the access token at this point. In order to validate the access token, the resource server either needs to check signatures (%SYS.OAuth2.Validation:ValidateJWT) or contact the authorization server (%SYS.OAuth2.AccessToken methods GetUserinfo or GetIntrospection). Exactly which method to use depends on how the authorization server is configured. The standards do not specify in detail. You need to contact the authorization server support folks.

score 0 · Answer 3 · 2018-02-12T05:33:58-05:00

Hello Martin,

Thank you for your valuable help

Actually i'm at step 4. I tried to use everyone of the methods that you mentionned to validate the access token. but each time i get this error displayed : "error": "ERREUR #5002: Erreur Cache: <UNDEFINED>zGetUserinfo+10^%SYS.OAuth2.AccessToken.1 *applicationName", eventhough i used the same application name for the first 3 steps and it worked just fine.

ANy idea about this issue ? thank you in advance

Best regards

score 0 · Answer 4 · 2018-02-12T12:09:13-05:00

do you already have called GetAccessTokenFromRequest() of %SYS.OAuth2.AccessToken ?

What is the result?

On resource server side you then need to continue with this, see section "Code Requirements" here: http://docs.intersystems.com/latest/csp/docbook/DocBook.UI.Page.cls?KEY=GOAUTH_resource

Be also aware on the prerequisites and code requirements also.

HTH,
Bernd