Update doc 21

arnaud4d · arnaud4d · commit f30dde1fc032 · 2025-10-23T11:42:35.000+02:00
diff --git a/Documentation/Classes/JWT.md b/Documentation/Classes/JWT.md
@@ -0,0 +1,142 @@
+# JWT Class
+
+## Overview
+
+The `JWT` class allows you to generate, decode, and validate JSON Web Tokens (JWTs) to authenticate users and secure API calls. JWTs are widely used in modern web authentication systems, including OAuth2 and OpenID Connect.
+
+This class is typically used in three scenarios:
+
+* **Token generation**: Create a signed JWT when a user logs in.
+* **Token decoding**: Read and inspect a JWT received from an authentication provider.
+* **Token validation**: Verify the JWT’s signature and expiration before granting access to protected resources.
+
+This class is instantiated using the `cs.NetKit.JWT.new()` function.
+
+**Note:** Shared objects are not supported by the 4D NetKit API.
+
+## Table of contents
+
+* [cs.NetKit.JWT.new()](#csnetkitjwtnew)
+* [JWT.decode()](#jwtdecode)
+* [JWT.generate()](#jwtgenerate)
+* [JWT.validate()](#jwtvalidate)
+
+
+## cs.NetKit.JWT.new()
+
+**cs.NetKit.JWT.new** ( *key* : Text or Object ) : `cs.NetKit.JWT`
+
+Creates a new instance of the JWT class.
+
+### Parameters
+
+| Parameter | Type         | Description |
+|-----------|--------------|-------------|
+| key       | Text/Object  | *Optional.* If text → Key in PEM format.<br>- If object → Must be an object returned by `4D.CryptoKey`.<br>If it's a private key, the public key will be inferred. |
+
+### Example
+
+```4d
+var $jwt := cs.NetKit.JWT.new($key)
+
+```
+
+## JWT.decode()
+
+**JWT.decode** ( *token* : Text ) : Object
+
+### Parameters
+
+| Parameter | Type |  | Description         |
+|-----------|----- |:---:|----------------- |
+| token     | Text |->| JWT string to decode |
+| Result    | Object |<-|The decoded content of the JWT |
+
+### Description
+
+Decodes a JWT string and returns its components (header, payload, signature).
+
+### Returned object
+
+The function returns an object containing the following properties:
+
+| Property | Type | Description |
+|---|---|---|
+|header| Object |Metadata about the token type and the signing algorithm |
+|payload| Object |The information (claims) of the token like the user's name, role, user ID, or expiration date.|                                                                          
+|signature| Object |Ensures the integrity of the token and verifies the sender’s authenticity|
+
+### Example
+
+```4d
+
+var $result := cs.NetKit.JWT.new().decode($token)
+
+```
+
+## JWT.generate()
+
+**JWT.generate** ( *params* : Object { ; *privateKey* : Text or Object } ) : Text
+
+### Parameters
+
+| Parameter | Type | | Description |
+|------------|--------|:--:|--------------------------------------------------------------|
+| params | Object | ->| Options for the JWT content|
+| privateKey | Text/Object | ->| *Optional.* If text → Private key in PEM format.<br>- If object → Must be returned by `4D.CryptoKey`.<br>If omitted, the key passed to `JWT.new()` will be used. |
+| Result | Text | <-| The generated JWT token |
+
+### Description
+
+Generates a signed JWT based on the provided parameters and optional private key.
+
+In *params*, you can pass several properties:
+
+| Property |  | Type | Description |
+|----------|--|------|-------------|
+| header | |Object | *(optional)* Metadata about the token |
+| | header.alg |Text |Signing algorithm. Defaults to `"RS256"` if not specified |
+| | header.typ |Text | Token type. Defaults to `"JWT"` if not specified|
+| payload | | Object | The claims/information you want to include in the token|                                                                                                                    
+
+### Example
+
+```4d
+
+var $params:={header: {alg: "HS256"; typ: "JWT"}}
+$params.payload:={sub: "123456789"; name: "John"; exp : 50}
+
+var $token := cs.NetKit.JWT.new().generate($params; $privateKey)
+
+```
+
+## JWT.validate()
+
+**JWT.validate** ( *token* : Text { ; *key* : Text or Object } ) : Boolean
+
+### Parameters
+
+| Parameter | Type | | Description |
+|-----------|------|--:|-------------------------------------------------------------|
+| token | Text | ->| JWT token to validate |
+| key | Text | ->| *Optional.* If text → Private or public key in PEM format.<br>- If object → Must be returned by `4D.CryptoKey`.<br>If omitted, the key passed to `JWT.new()` will be used. |
+| Result | Boolean | <-| `True` if the token is valid, `False` otherwise |
+
+### Description
+
+Validates a JWT token using the provided public key or the key passed to the constructor.
+
+### Example
+
+```4d
+
+var $isValid:= cs.NetKit.JWT.new().validate($token; $key)
+
+```
+## See also
+
+* [OAuth2Provider Class](./OAuth2Provider.md)
+* [Google Class](./Google.md)
+* [Office365 Class](./Office365.md)
+
+
diff --git a/Documentation/Classes/OAuth2Provider.md b/Documentation/Classes/OAuth2Provider.md
@@ -50,31 +50,31 @@ The available properties of `paramObj` are:
 
 |Parameter|Type|Description|Optional|
 |---------|--- |------|------|
-| accessType | text | (Recommended) Indicates whether your application can refresh access tokens when the user is not present at the browser.&lt;br/&gt; Valid parameter values are online (default) and offline.&lt;br/&gt; Set the value to offline if your application needs to update access tokens when the user is not present at the browser. This is how access tokens are refreshed. This value instructs the Google authorization server to return a refresh token and an access token the first time that your application exchanges an authorization code for tokens. |Yes|
-| authenticateURI | text | Uri used to do the Authorization request.&lt;br/&gt; Default for Microsoft: "https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize".&lt;br/&gt; Default for Google: "https://accounts.google.com/o/oauth2/auth". |Yes|
-| authenticationErrorPage |text or file object| Path of the web page to display in the web browser when the authentication server returns an error in signed in mode (If not present the default page is used).|Yes|
-| authenticationPage|text or file object|Path of the web page to display in the web browser when the authentication code is received correctly in signed in mode (If not present the default page is used).|Yes|
+| accessType | text | (Recommended) Indicates whether your application can refresh access tokens when the user is not present at the browser.<br/> Valid parameter values are online (default) and offline.<br/> Set the value to offline if your application needs to update access tokens when the user is not present at the browser. This is how access tokens are refreshed. This value instructs the Google authorization server to return a refresh token and an access token the first time that your application exchanges an authorization code for tokens. |Yes|
+| authenticateURI | text | Uri used to do the Authorization request.<br/> Default for Microsoft: "https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize".<br/> Default for Google: "https://accounts.google.com/o/oauth2/auth". |Yes|
+| authenticationErrorPage |text or file object|A local file object, local path or direct URL of the page to display in the web browser when authentication fails in signedIn mode. Can be a Qodly URL. If not provided, the default page is used.|Yes|
+| authenticationPage|text or file object|A local file object, local path or a direct URL of the page to display in the web browser after successful authentication in signedIn mode. Can be a Qodly URL. If not provided, the default page is used.|Yes|
 | browserAutoOpen | boolean | True (default value), the web browser is open automatically. Pass false if you don't want the web browser to open automatically. |Yes|
 | clientAssertionType | text | The format of the assertion as defined by the authorization server. The value is an absolute URI. Default value: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer". Only usable with permission="Service"    |Yes|
 | clientEmail | text | (mandatory, Google / service mode only)  email address of the service account used |No|
 | clientId | text | The client ID assigned to the app by the registration portal.|No|
 | clientSecret | text | The application secret that you created for your app in the app registration portal. Required for web apps. |Yes|
-| loginHint  | text | (Optional) This option can be used to inform the Google Authentication Server which user is attempting to authenticate if your application is aware of this information. By prefilling the email field in the sign-in form or by selecting the appropriate multi-login session, the server uses the hint to simplify the login flow either.&lt;br/&gt; Set the parameter value to a sub-identifier or email address that corresponds to the user's Google ID. |Yes|
+| loginHint  | text | (Optional) This option can be used to inform the Google Authentication Server which user is attempting to authenticate if your application is aware of this information. By prefilling the email field in the sign-in form or by selecting the appropriate multi-login session, the server uses the hint to simplify the login flow either.<br/> Set the parameter value to a sub-identifier or email address that corresponds to the user's Google ID. |Yes|
 | name | text | Name of the provider. Available values: "Microsoft", "Google" or "" (if "" or undefined/null attribute, the authenticateURI and the tokenURI need to be filled by the 4D developer).|Yes|
 | nonce | text | Used for *openID* requests only. Value used to associate a client session with an `id_token`, to mitigate replay attacks. The value is passed through unmodified from the Authentication request to the `id_token`.|Yes|
-| permission | text |- "signedIn": Azure AD/Google will sign in the user and ensure they gave their consent for the permissions your app requests (opens a web browser).&lt;br/&gt;- service": the app calls [Microsoft Graph with its own identity](https://docs.microsoft.com/en-us/graph/auth-v2-servicean| false by default. If true, PKCE is used for OAuth 2.0 authentication and token requests and is only usable for permission="SignIn". |Yes|
+| permission | text |- "signedIn": Azure AD/Google will sign in the user and ensure they gave their consent for the permissions your app requests (opens a web browser).<br/>- service": the app calls [Microsoft Graph with its own identity](https://docs.microsoft.com/en-us/graph/auth-v2-servicean). False by default. If true, PKCE is used for OAuth 2.0 authentication and token requests and is only usable for permission="SignIn". |Yes|
 | PKCEMethod |text | "S256" by default. The only supported values for this parameter are "S256" or "plain". |Yes|
-| privateKey | text | Certificate private key. Only usable with permission="Service".&lt;br/&gt;(Google / service mode only)  Private key given by Google. Mandatory if .permission="service" and .name="Google" | Yes (No for certificate based authentication)|
-| prompt   | text |(Optional) A space-delimited, case-sensitive list of prompts to present the user.&lt;br/&gt;&lt;br/&gt;Possible values are:&lt;br/&gt;- none: Do not display any authentication or consent screens. Must not be specified with other values.&lt;br/&gt;- consent: Prompt the user for consent.&lt;br/&gt;- select_account: Prompt the user to select an account.&lt;br/&gt;(if you don't specify this parameter, the user will be prompted only the first time your project requests access. )|Yes|
+| privateKey | text | Certificate private key. Only usable with permission="Service".<br/>(Google / service mode only)  Private key given by Google. Mandatory if .permission="service" and .name="Google" | Yes (No for certificate based authentication)|
+| prompt   | text |(Optional) A space-delimited, case-sensitive list of prompts to present the user.<br/><br/>Possible values are:<br/>- none: Do not display any authentication or consent screens. Must not be specified with other values.<br/>- consent: Prompt the user for consent.<br/>- select_account: Prompt the user to select an account.<br/>(if you don't specify this parameter, the user will be prompted only the first time your project requests access. )|Yes|
 | redirectURI | text | (Not used in service mode) The redirect_uri of your app, i.e. the location where the authorization server sends the user once the app has been successfully authorized. Depending on the port specified in this property, the authentication response goes to the [web server of the host or of the 4DNetKit when you call the `.getToken()` class function.  |No in signedIn mode, Yes in service mode|
-| scope | text or collection | Text: A space-separated list of the Microsoft Graph or Google permissions that you want the user to consent to.&lt;/br&gt; Collection: Collection of Microsoft Graph or Google permissions. |Yes|
+| scope | text or collection | Text: A space-separated list of the Microsoft Graph or Google permissions that you want the user to consent to.<br/> Collection: Collection of Microsoft Graph or Google permissions. |Yes|
 | state | text | Opaque value used to maintain state between the request and the callback. If not present, automatically generated by 4D Netkit. |Yes|
-| tenant | text | Microsoft: The {tenant} value in the path of the request can be used to control who can sign into the application. The allowed values are: - "common" for both Microsoft accounts and work or school accounts (default value)&lt;br/&gt;- "organizations" for work or school accounts only &lt;br/&gt;- "consumers" for Microsoft accounts only&lt;br/&gt;- tenant identifiers such as tenant ID or domain name.&lt;br/&gt;Google (service mode only): Email address to be considered as the email address of the user for which the application is requesting delegated access. |Yes|
+| tenant | text | Microsoft: The {tenant} value in the path of the request can be used to control who can sign into the application. The allowed values are: - "common" for both Microsoft accounts and work or school accounts (default value)<br/>- "organizations" for work or school accounts only <br/>- "consumers" for Microsoft accounts only<br/>- tenant identifiers such as tenant ID or domain name.<br/>Google (service mode only): Email address to be considered as the email address of the user for which the application is requesting delegated access. |Yes|
 | thumbprint |text | Certificate thumbprint. Only usable with permission="Service" | Yes (No for certificate based authentication)|
 | timeout|real| Waiting time in seconds (by default 120s).|Yes|
 | token | object | If this property exists, the `getToken()` function uses this token object to calculate which request must be sent. It is automatically updated with the token received by the `getToken()` function.   |Yes|
 | tokenExpiration | text | Timestamp (ISO 8601 UTC) that indicates the expiration time of the token.| Yes|
-| tokenURI | text | Uri used to request an access token.&lt;br/&gt; Default for Microsoft: "https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token".&lt;br/&gt; Default for Google: "https://accounts.google.com/o/oauth2/token".|Yes|
+| tokenURI | text | Uri used to request an access token.<br/> Default for Microsoft: "https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token".<br/> Default for Google: "https://accounts.google.com/o/oauth2/token".|Yes|
 
 
 
diff --git a/README.md b/README.md
@@ -1,5 +1,5 @@
 <div class="footer border-top border-gray-light mt-5 pt-3 text-right text-black">
-        Version: 20 R10
+        Version: 21
       </div>
       
 # 4D NetKit
@@ -9,6 +9,7 @@
 ## Table of contents
 
 * [OAuth2Provider class](Documentation/Classes/OAuth2Provider.md)
+* [JWT class](Documentation/Classes/JWT.md)
 * [Office365 class](Documentation/Classes/Office365.md)
 * [Google class](Documentation/Classes/Google.md)
 * [Tutorial : Authenticate to the Microsoft Graph API in service mode](Documentation/Tutorial.md)
