Client metadata validator
1. Introduction
When a new OAuth 2.0 client or OpenID Connect relying party gets registered with the Connect2id server a series of standard checks will be performed on the supplied metadata, such as checking if any supplied redirection URI(s) are legal.
A Java Service Provider Interface (SPI) is made available for carrying out additional checks on the metadata, after the Connect2id server has completed the standard validation. You can use it to plug in your own custom rules for additional validation and shaping of the client metadata.
The SPI is available since v7.10.
2. Client metadata validator SPI
To plug in your own custom checks use the FinalMetadataValidator SPI defined in the Connect2id server toolkit:
https://bitbucket.org/connect2id/server-sdk
Features of the validator SPI:
- Allows carrying out additional validation of the metadata.
- Allows shaping (modification) of the metadata.
- Provides information about the type of authorisation credential used at the registration endpoint (master, initial or registration token, open registration).
- Provides an initialisation method, e.g. for configuration purposes.
3. Included implementation
The Connect2id server includes a simple internal implementation which checks if the hostname of the logo_uri and policy_uri parameters (if set) matches a host in the redirect_uris (if set), according to OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 1, section 9.1.
These additional checks are enabled by default in the included configuration file:
/WEB-INF/additionalClientMetadataChecks.properties
You can override the setting by editing the configuration file or with a simple Java system property override:
-Dop.additionalClientMetadataChecks.enable=true
4. Support
Our Connect2id support team is available if you need help with integrating a custom metadata validator.