TsgcHTTP_OAuth2_Server › Events › OnOAuth2AfterValidateAccessToken
Fires after the server has validated an access token on a resource request and lets the application accept or override the result.
property OnOAuth2AfterValidateAccessToken: TsgcHTTPOAuth2AfterValidateAccessTokenEvent;
// TsgcHTTPOAuth2AfterValidateAccessTokenEvent = procedure(Sender: TObject; Connection: TsgcWSConnection; OAuth2: TsgcHTTPOAuth2Request; var IsValid: Boolean) of object—
OnOAuth2AfterValidateAccessToken is raised after the internal IsOAuth2TokenValid check runs on every protected request. At this point the component has already checked that the bearer token exists, is recognised and is not expired; IsValid reflects that result. Use the event for logging successful authorisations, to apply extra business rules such as scope enforcement, IP binding, subscription checks or tenant isolation, or to reject an otherwise valid token by setting IsValid to False. When IsValid remains False the request continues through OnOAuth2Unauthorized.
procedure OnOAuth2AfterValidateAccessToken(Sender: TObject; Connection: TsgcWSConnection;
OAuth2: TsgcHTTPOAuth2Request; var IsValid: Boolean);
begin
// enforce a required scope on top of the standard validation
if IsValid and (Pos('api.read', OAuth2.Scope) = 0) then
IsValid := False;
end;