This article, and following two articles of the series, is intended as a user guide for developers or system administrators, who need to work with OAuth 2.0 framework (further referred to as OAUTH for simplicity) in their InterSystems product based applications.
I'm using Caché as an OAuth authorization server and I want to accept the password credentials grant type. I've found that if I make an authorize request, the Caché authorization server requires some URL parameters that shouldn't be required in password grant (redirect_uri, state, scope, and response_type). If I include these parameters, it calls my DirectLogin() method instead of just calling ValidateUser() as I would expect from the docs. I have two questions:
1. Why does the authorize request fail without these additional parameters?
2. If I'm using DirectLogin, do I need to customize my method to handle password grant?
For reference, here's the authorize request I'm making
Created by Daniel Kutac, Sales Engineer, InterSystems
Warning: if you get confused by URLs used: the original series used screens from machine called dk-gs2016. The new screenshots are taken from a different machine. You can safely treat url WIN-U9J96QBJSAG as if it was dk-gs2016.
Part 2. Authorization server, OpenID Connect server
In the previous part of this short series, we have learned about simple use case – acting as an OAUTH[1] client. Now, it’s time to bring our experience to a whole new level. We are going to build much more complex environment, where InterSystems IRIS is going to play all OAUTH roles
Hi.. I have an issue where we are using OAuth2.0 with the ZAUTHENTICATE routine. Once our token is validated we are using a users lan id (passed on the ID token) to find a software defined username in a Cache Global.
That is all working fine in ZAUTHENTICATE.. I am setting the software defined username in the Properties("Comment") array and wanting to reference it in the Rest Service Dispatch class.
I am finding that Properties array is not resident in the dispatch class. It is my understanding that Properties is passed to ZAUTHENTICATE by reference, but how can I invoke the dispatch class in a way that includes the array? Is there setup that needs added in the portal for web application security?
Additionally I see that ZAUTHENTICATE quits with 1/0 for success/fail.. is there a way to return more specific messaging regarding the failure to the calling web application?
Thanks,
George
Hi community ,
i work actually on the access token generation method , i want know where the generated access token are saved ?
My [OAuth2.AccessToken]Â tabe is empty , it's logical?
thank's for helping .
Best regards
Hi community ,
i come back to you , i've a problem with Client description in Oauth2, when i tick the Supported grant types and i save , there are not registred on the OAuth2_Client.Metadata table .
can you tell me where is the problem please.
you will find attached a screenshot.
thank's
As many of you, our partners, are more widely using modern UI frameworks to create client front-end, you may have encountered a question, "So how do I secure my data when I just finished developing all new fancy browser based client experience?"
The answer is easy. Use a standard, proven OAuth2 and OpenID!
"OK, but how can I do it? I have never done it before."
No problem, just have a look here, if your client is Angular (not AngularJS) based, there is a demo project available for you to review and get inspired!
The demo presents a simple Angular (and typescript) application with user login and public/private data REST based retrieval from a server. Please bear in mind that I'm not an angular expert, so my coding might not be the best quality, but the demo is functional (at least on my machine, sigh!)
Hope you'll find it useful!Â
 Â
Hi community
i'm working on the validation user method , i found this following code in the \HSIE\%SYS\Classes\%OAuth2\Server\Validate.cls Â
Â
I tried to implement the Oauth2 in google,
I got authentication, But I unable to read response class.
I got an error as:
I unable to change response Class.
Anyone help me to Change response Class in Client Configuration
           or
Is there any option to define response URL manually?
Thanks
Hi Team
i want to implement an Oauth 2.0 framework in my application , i define my connexion IHM, i want to check if the login and password are right when a user connect
do you've any idea ?
thank's
Hi,Â
I am a beginner on intersystems technologies ! and i want implements Oauth2 for our projects ( Angular 2 + Caché REST  Backend).Â
i read the article that the link  is below :Â
But : i need to create  all servers ( Auth and Resource ) on Caché and dont' to use google server.
Also, i need  to be able to consume Oauth from my web services as caché REST application (whitout csp ui) .
An Idea  Please ?
Thank you
Yani
Unless I'm mistaken, 2017.1 doesn't appear to support RFC 7523 (JSON Web Token Profile for OAuth 2.0 Client Authentication and Authorization Grants). Â Is that coming in 2017.2?
In order to support it in 2017.1, I'd have to override the OAuth 2.0 token endpoint to cater for the additional grant types - what's the best way to do this?
Â
Thanks.
It's almost a year since I have published a series of articles explaining how to configure Cache instance as a client / resource server / authorization server. By that time, the implementation of OAuth 2.0 was still a pre-release software.
With the advent of Cache version 2017.1 a lot has changed. OAuth 2.0 implementation is fully completed and supported. Numerous new features were added (e.g. dynamic client registration) Â - see release notes here for full details - and configuration pages have been redesigned to a great extent as well
Created by Daniel Kutac, Sales Engineer, InterSystems
Â
Part 3. Appendix
In the previous part of our series we have learned about configuring InterSystems IRIS to act as an OAUTH client as well as authorization and authentication server (by means of OpenID Connect). In this final part of our series we are going to describe classes implementing InterSystems IRIS OAuth 2.0 framework. We will also discuss use cases for selected methods of API classes.
The API classes implementing OAuth 2.0 can be separated into three different groups according to their purpose. All classes are implemented in %SYS namespace. Some of them are public (via % package), some not and should not be called by developers directly.
I use Cache Instance. I'm trying to implement OAuth 2.0 in Cache instance.
Is it possible to use Cache instance as Client and Server?
And What is the Difference between CLIENT and AUTHSERVER instance?
Why is it used? I want to know which instance use which type of application?
I am using OAuth2 Cache framework, acting as a client to an authorization server. My setup is based on this excellent previous post [Caché Open Authorization Framework (OAuth 2.0) implementation – part 1].
I'm facing ‘Authorization Server Error: Error Processing Response - No match between server name 'googleapis.com' and SSL certificate values google.com…’
It looks like I should set SSLCheckServerIdentity to false but I can’t figure out how. Has anyone had the same issue?
Is this available anywhere (for Health Connect)? I've found a few presentations but they are aimed at entry level.
We're looking at supporting more and more FHIR, REST plus OAuth interfaces in future. I've built some of this into older versions of HealthShare and Ensemble but it's desirable to move to supported versions.Â
We would be using Healthshare as a facade to other systems.
Â
Â
Click here to view our OAuth 2.0 Overview
InterSystems created this video as a high-level overview of OAuth 2.0 technology, geared toward developers looking to learn the basics of OAuth 2.0.  It will teach you how OAuth 2.0 works, what roles are involved, what benefits it can provide, and how InterSystems Caché can be used with this technology.
I am in need of a routine or class method to generate an Oauth 1.0 signature. Â I was about to code this myself, but thought to check first to see if anyone has already done this and is willing to share.
Thanks in advance for any help.
[UPDATE Â 06/28/2016]
As there appears to not be a readily available solution I created a class to provide Oauth 1.0 authentication.  This class is attached in a zip file.  Methods are provided that generate a signature for a given URL request based on a consumer key and consumer secret.  Note that the only tested use case is in the last leg authentication to an application using Oauth 1.0.  That is it does not support the workflow to request access to the application (see http://commandlinefanatic.com/cgi-bin/showarticle.cgi?article=art014 for a discussion on Oauth 1
Presenter: Dan Kutac
Task: Use a common login identity and a central mechanism of authentication across environments from multiple entities
Approach: Provide examples and code samples of an application environment using OpenID Connect and OAuth 2.0
Â
Description: In this session we will demonstrate an application environment using OpenID Connect and OAuth 2.0. Hear how this is done and what options you have; and yes, you get to keep the code.
Problem: How to use a a common login identity (e.g. Facebook credentials) and a central mechanism of authorization cross environments from multiple entities.
Solution: Create awareness and interest in using OAuth 2.0
Â
Content related to this session, including slides, video and additional learning content can be found here.
