Utsavi Gajjar · May 10

How to decode an Azure Access Token in IRIS?


I am trying to find out if it is possible to decode the Azure access token in IRIS. Has anyone ever tried this before? I need to decode the token to extract the "Scope" details in order to verify the scope to make sure client is permitted to do the request they have done.

If you could point me to any information, that'd be great. 

Thank you.



Product version: IRIS 2020.1
1 0 7 189
Log in or sign up to continue

Hi Dmitry, 

Thanks for your reply. Yes the OAuth2 token. I haven't setup anything for OAuth2 on IRIS end. In our case, the REST APIs we are building in IRIS are exposed to consumer apps via IAM and Azure. IAM takes care of the OAuth2 Authentication. Client Request then flows through to IRIS which is when I need to introspect the access token to read the "Scope".

I came across the following method, is that something I can utlise?

set sc=##class(%SYS.OAuth2.AccessToken).GetIntrospection("demoresource",accessToken,.jsonObject)

Most of the code related to OAuth2 in IRIS, supposed that you have configured OAuth2 Client, and uses this information to validate and extract data from the token. And this particular method will expect OAuth2 client with the name "demoresource".

I'm not sure how InterSystems supposed to get it worked together with IAM. But I have an example, of extracting data from the JWT token, without any configuration. Look at this code. In this class, I can generate tokens and validate them, as well as pass any data to generating tokens, and extract it. But it also uses a secret phrase to validate the token. And depends on the algorithm, it will require just a simple string as a secret phrase, or a public and private key.

And try the suggested JWT debugger, which may help you in understanding, what's exactly stored in the token and used algorithm for the key.

Thanks a lot Dmitry. I will follow your example code and see if that works for me. Will update you on how I go.

Hi Dmitry,

I am trying out the sample code you supplied. It seems that you have to supply a Secret Key in order to decode the token using  ##class(%OAuth2.JWT).JWTToObject(). If I put my sample token on , it decodes it without me having to supply the key. 

Can we decode the token from IRIS without having to supply the public or private key ?

Yeah, sure, it's quite simple to do. JWT tokens contain three parts separated by a pointer sign. 

  • Header, with the algorithm of the signature and the type of token
  • Payload, any data in JSON format
  • Signature needs to verify the token 

All of those parts are encoded with Base64

  Set token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c" 

  #; Extract parts of the token
  Set $ListBuild(header, payload, sign) = $ListFromString(token, ".")

  #; Decode and parse Header
  Set header = $System.Encryption.Base64Decode(header)
  Set header = {}.%FromJSON(header)
  Write !,"header"
  Write !,"alg = ",header.alg
  Write !,"typ = ",header.typ

  #; Decode and parse Payload
  Set payload = $System.Encryption.Base64Decode(payload)
  Set payload = {}.%FromJSON(payload)
  Write !!,"data"
  Write !,"name = ", 
  Write !,"iat = ", payload.iat 

Oh that is Perfect mate !! Thanks so much :)