%OAuth2.JWT Methods/OAuth 2.0 Questions
This is a bit of an IRIS question but also and OAuth 2.0 questions:
I am using %OAuth2.JWT.JWTToObject() to "validate" a JWT. My questions:
- While I am checking claims with the returned body, does the return status of the method "count" as a validation step? In other words, if I weren't checking claims and $$$OK was returned from that method call (passing in the token and public keys), I could feel confident that this token came from the expected auth server?
- Does the method or can it validate the token expiration or is that something I need to manually validate; token expiration seems paramount to OAuth 2.0 so one would think it would be a automatic part of the validation, but I am finding I can pass in an old token and still get $$$OK returned by the method. I still check claims and scope however.
Thanks!
Comments
Reading my own question, I think I'm confusing JWTToObject as proper validation, but I think all that step is saying "with the JWT and key you've provided, this is a good/valid token so please proceed with what you need to do to validate claims."
Still, I look forward to your responses.
You probably want to look at %SYS.OAuth2.Validation:ValidateJWT() and ValidateIDToken().
Yeah, I spent a lot of time with the documentation. I would be interested to know if it's possible to set it all up without configuration in the management portal. E.g. before I called the endpoint to get the keys and rotate them from the auth server, but the config does that for free. I think there's a lot I could have missed not knowing the OAuth spec but I'd be curious to know if anyone did it without using the config.
The return status for %OAuth2.JWT.JWTToObject() will validate signatures, though a JWT with "alg:none" will be validated too. Claims and expiration are not checked in JWTToObject() and should still be checked independently.