#OAuth2

What is JWT?

JWT (JSON Web Token) is an open standard (RFC 7519) that offers a lightweight, compact, and self-contained method for securely transmitting information between two parties. It is commonly used in web applications for authentication, authorization, and information exchange.

A JWT is typically composed of three parts:

1. JOSE (JSON Object Signing and Encryption) Header
2. Payload
3. Signature

These parts are encoded in Base64Url format and concatenated with dots (.) separating them.

Structure of a JWT

Header

{ "alg": "HS256", "typ": "JWT"}

Payload

Hi,

I do have the problem to send mails to outlook after getting the new OAUTH2 token. 

 I have no problem getting the token, but after I got the token I try to send the mail thru smtp but authorization failed , please see my try to send the token thru the %Net.Authenticator mechanism %Net.SASL.XOAUTH2

Is this ok?

Or is there an other method to authenticate using the needed bearer method instead of user/pwd with the authenticator? 

 ....code to get the token is working..

Hello Community,

I’m working on an InterSystems IRIS production that needs to call an external API using OAuth client credentials (client_id and client_secret). For security reasons, I must pass these credentials via environment variables in my Docker container.

In the IRIS terminal, I can successfully retrieve these environment variables using $System.Util.GetEnviron("api-clientid") and $System.Util.GetEnviron("api-clientsecret"). However, inside my Business Operation class (OnMessage method), these environment variables return empty strings.

We have an OAuth server configured as an identity provider, and we have an external application (from another provider) that connects correctly with OAuth.

Due to the needs of the project, what we want to do is the following:

Hello, community!

I am working on implementing OAuth 2.0 authentication in InterSystems IRIS and need to correctly define a CSRF token that will be validated by OAuth.Response. However, I am having trouble finding a clear method to configure the CSRF token correctly.

So far, I have tried:

• Setting the CSRF token in the request header.
• Inserting the CSRF token via InsertCookie.

Despite these attempts, I haven’t been successful. On the OAuth.Response page, the CSRF token is empty, and I get the error message “Invalid CSRF token” because the csrfToken is empty.

Over the past couple of months, I have been working on the SMART on FHIR EHR Launch to test the capabilities of IRIS for Health using two open-source apps from CSIRO: SMART-EHR-Launcher and SMART Forms App. This journey has been incredibly interesting, and I’m truly grateful for the opportunity to work on this task and explore more of IRIS for Health’s potential.

InterSystems IRIS 2025.2.0 introduces several features to improve the user experience of configuring OAuth2.

- OAuth2 is now a native authentication type and can be easily enabled for your services and web applications. Previously, OAuth2 was a type of delegated authentication.

- You can now create resource servers with the new OAuth2.ResourceServer class, which simplifies resource server configuration significantly. Previously, resource servers were instances of OAuth2.Client.

 JSON Web Token (JWT) Authentication

Hi Everyone,

I would like to share the code and step-by-step instructions/or guideline for generating a JWT (JSON Web Token) signature, as well as how to test it using Postman / HealthConnect.

JWT is an open standard (RFC 7519) that defines a compact, URL-safe method for securely transmitting information between parties in the form of a JSON object.

Structure of a JWT:

A JWT consists of three parts, separated by dots (.):

We are trying to create a JWT in order to get oauth2 token from login.microsoftonline.com and then use that token to get key/secret from an Azure Key Vault.

It seemed like it would be quite straightforward by using the Create method of class %Net.JSON.JWT

But already trying to set the first header parameter alg PS256 as specified by https://learn.microsoft.com/en-us/entra/identity-platform/certificate-c… becomes a problem. Just to test, I do this:

set JOSE = {
 "alg": "PS256"
}

and then using that and an arbitrary claims as parameters in Create method gives this

In your Interoperability Production you could always have a Business Operation that is an HTTP client, that uses OAuth 2.0 for authentication, but you had to customize the Operation for this authentication methodology. Since v2024.3, which was lately released, there is a new capability, providing new settings, to handle this more easily.