%OAuth2.JWT Methods/OAuth 2.0 Questions

Question

Question

Michael Davidovich · Jun 2, 2023

This is a bit of an IRIS question but also and OAuth 2.0 questions:

I am using %OAuth2.JWT.JWTToObject() to "validate" a JWT. My questions:

- While I am checking claims with the returned body, does the return status of the method "count" as a validation step? In other words, if I weren't checking claims and $$$OK was returned from that method call (passing in the token and public keys), I could feel confident that this token came from the expected auth server?

- Does the method or can it validate the token expiration or is that something I need to manually validate; token expiration seems paramount to OAuth 2.0 so one would think it would be a automatic part of the validation, but I am finding I can pass in an old token and still get $$$OK returned by the method. I still check claims and scope however.

Thanks!

Product version: IRIS 2022.1

$ZV: IRIS for Windows (x86-64) 2022.1.2 (Build 574U) Fri Jan 13 2023 15:00:26 EST

Discussion (4)2

Log in or sign up to continue

Edward Clark · Jun 6, 2023

You probably want to look at %SYS.OAuth2.Validation:ValidateJWT() and ValidateIDToken().

0 0

score 0 · Answer 1 · 2023-06-02T12:09:31-04:00

Reading my own question, I think I'm confusing JWTToObject as proper validation, but I think all that step is saying "with the JWT and key you've provided, this is a good/valid token so please proceed with what you need to do to validate claims."

Still, I look forward to your responses.

score 0 · Answer 2 · 2023-07-19T16:28:29-04:00

Yeah, I spent a lot of time with the documentation. I would be interested to know if it's possible to set it all up without configuration in the management portal. E.g. before I called the endpoint to get the keys and rotate them from the auth server, but the config does that for free. I think there's a lot I could have missed not knowing the OAuth spec but I'd be curious to know if anyone did it without using the config.

score 0 · Answer 3 · 2023-07-20T12:27:26-04:00

The return status for %OAuth2.JWT.JWTToObject() will validate signatures, though a JWT with "alg:none" will be validated too. Claims and expiration are not checked in JWTToObject() and should still be checked independently.