· Mar 21

OAuth 2.0 Resource Service Scope Check Fail


I have my server setup a resource server.  When a user calls our API they submit a bearer token as authorization and in our dispatch class AccessCheck() we validate the JWT using ##class(%SYS.OAuth2.Validation).ValidateJWT()

If I include a scope to check in that method I get the error Scope check may only be done on requesting client and I'm not sure what this means. The method works without include the scope and will let me know if I have an unsigned token or an expired token.  

I noticed that the implementation of the method calls Set token=##class(OAuth2.AccessToken).Open(accessToken,.sc) and then checks $ISOBJECT(token) and that's where it's failing.  That particular method returns the token by calling Set tokenObject=..ATIndexOpen($system.Encryption.SHAHash(512,accessToken),,.sc).  However, in ##class(%SYS.OAuth2.Validation).ValidateJWT() one of the first thing that happens is ..JWTToObject() is called which returns the access token as an object already in the variable jwtObject.  I'm not sure why it's doing the same thing different ways.

Further debugging revealed this error ERROR #5770: Object open failed because 'ATIndex' key value of '***********************' was not found.

Can someone please help me: 

1) Understand what the error means?

2) How I might fix this?

So far the best I can think of is that I'm missing a scope that should be validated along with the one I'm passing in?

Product version: IRIS 2023.3
Discussion (5)2
Log in or sign up to continue

Thanks, @Ron Sweeney 

Yes, I did put the token in the debugger and confirm only once scope is in the token and made sure that I copied and pasted that in the ValidateJWT() method so I didn't fat finger.  So the scope is indeed there.  My workaround is to not try to validate the scope within the library methods and just pull out the scope from the body and validate in a for loop.