OAuth 2.0 Resource Service Scope Check Fail
Hello,
I have my server setup a resource server. When a user calls our API they submit a bearer token as authorization and in our dispatch class AccessCheck() we validate the JWT using ##class(%SYS.OAuth2.Validation).ValidateJWT().
If I include a scope to check in that method I get the error Scope check may only be done on requesting client and I'm not sure what this means. The method works without include the scope and will let me know if I have an unsigned token or an expired token.
I noticed that the implementation of the method calls Set token=##class(OAuth2.AccessToken).Open(accessToken,.sc) and then checks $ISOBJECT(token) and that's where it's failing. That particular method returns the token by calling Set tokenObject=..ATIndexOpen($system.Encryption.SHAHash(512,accessToken),,.sc). However, in ##class(%SYS.OAuth2.Validation).ValidateJWT() one of the first thing that happens is ..JWTToObject() is called which returns the access token as an object already in the variable jwtObject. I'm not sure why it's doing the same thing different ways.
Further debugging revealed this error ERROR #5770: Object open failed because 'ATIndex' key value of '***********************' was not found.
Can someone please help me:
1) Understand what the error means?
2) How I might fix this?
So far the best I can think of is that I'm missing a scope that should be validated along with the one I'm passing in?
Comments
My other thought is that I have to define an auth server configuration but I didn't think that was necessary since we use Okta and just call their APIs as needed.
Further inspection reveals ..ATIndexOpen is an 'Index Open' generated method. So it's trying to open some object with the ATIndex of that encrypted token. Not sure how the that all connects . . .
Michael, if you drop the generated token into https://jwt.io, does Okta have the the list of scopes in an `scp` parameter?
I recall having to do something like this in an Interaction Strategy to get ValidateToken() to work with Okta, wondering if the same is necessary for ValidateJWT().
Do JWTObj.%Set("client_id", OktaJWTObj.cid)
Do JWTObj.%Set("scope",OktaJWTObj.scp)Thanks, @sween
Yes, I did put the token in the debugger and confirm only once scope is in the token and made sure that I copied and pasted that in the ValidateJWT() method so I didn't fat finger. So the scope is indeed there. My workaround is to not try to validate the scope within the library methods and just pull out the scope from the body and validate in a for loop.
From the WRC:
I spoke to the developer and he said it's a bug . . . there is an existing project to clean up a bunch of code in this area. I'll ask them when it will be finished and in what version the code will appear.