Authorisation request validator
1. Additional validation of authorisation requests
The authorisation endpoint of the Connect2id
server performs standard checks on the received requests,
for that the client is registered for the requested response_type. If the
request is JWT-secured (JAR), it will be validated and unwrapped.
A plugin interface (SPI) is made available for carrying out additional checks on the authorisation requests, after the Connect2id server has completed the standard validations. You can use it to plug in your own custom rules to perform additional validation, or to modify a request parameter.
Note that starting with v14.0, the Connect2id
server automatically filters
the requested scope values to those registered for the client, provided each
client is registered with a scope metadata
parameter. To perform a diffent scope validation, for example by calling a
service that manages the scopes in a Connect2id server deployment, use this
plugin.
This SPI is available since v11.2.
2. Authorisation request validator SPI
To plug in your own custom checks implement the AuthorizationRequestValidator SPI defined in the Connect2id server toolkit:
| Git repo | https://bitbucket.org/connect2id/server-sdk |
|---|
Features of the authorisation request validator SPI:
- Carry out additional validation of the authorisation request.
- Carry out optional modification of the request parameters.
- Provides access to the registered information for the client.
- If the request is rejected allows setting of an error code and description, with the option to disable redirection back to the client with the error.
If the Connect2id server detects an SPI implementation it will log its loading
under OP2113.
INFO main MAIN - [OP2113] Loaded authorization request validator: com.nimbusds.openid.connect.provider.spi.authz.impl.SampleAuthzValidator
3. Example
Sample validator to ensure all received authorisation requests include the
optional state parameter. Note, for OpenID the AuthorizationRequest will be
an instance of AuthenticationRequest and can be cast to it if needed.
import com.nimbusds.oauth2.sdk.*;
import com.nimbusds.openid.connect.sdk.rp.OIDCClientInformation;
import com.nimbusds.openid.connect.provider.spi.authz.*;
public class StatePresenceValidator implements AuthorizationRequestValidator {
@Override
public AuthorizationRequest validateAuthorizationRequest(
final AuthorizationRequest authzRequest,
final ValidatorContext validatorCtx)
throws InvalidAuthorizationRequestException {
if (authzRequest.getState() == null) {
String msg = "The state parameter is required";
throw new InvalidAuthorizationRequestException(
msg, // will be logged
OAuth2Error.INVALID_REQUEST.setDescription(msg),
false // redirection not disabled
);
}
return authzRequest; // pass
}
}