Question
· Jun 2, 2023

%OAuth2.JWT Methods/OAuth 2.0 Questions

This is a bit of an IRIS question but also and OAuth 2.0 questions:

I am using %OAuth2.JWT.JWTToObject() to "validate" a JWT.  My questions:

- While I am checking claims with the returned body, does the return status of the method "count" as a validation step? In other words, if I weren't checking claims and $$$OK was returned from that method call (passing in the token and public keys), I could feel confident that this token came from the expected auth server?

- Does the method or can it validate the token expiration or is that something I need to manually validate; token expiration seems paramount to OAuth 2.0 so one would think it would be a automatic part of the validation, but I am finding I can pass in an old token and still get $$$OK returned by the method.  I still check claims and scope however.

Thanks!

Product version: IRIS 2022.1
$ZV: IRIS for Windows (x86-64) 2022.1.2 (Build 574U) Fri Jan 13 2023 15:00:26 EST
Discussion (4)2
Log in or sign up to continue

Yeah, I spent a lot of time with the documentation. I would be interested to know if it's possible to set it all up without configuration in the management portal.  E.g. before I called the endpoint to get the keys and rotate them from the auth server, but the config does that for free.  I think there's a lot I could have missed not knowing the OAuth spec but I'd be curious to know if anyone did it without using the config.