Authorisation request validator SPI

1. Additional validation of authorisation requests

The authorisation endpoint of the Connect2id server performs standard checks on the authorisation request, such as ensuring the overall validity of the request and that the client is registered for the requested response_type. If the client submitted a JWT-secured request (JAR), it will be validated and unwrapped.

A Java Service Provider Interface (SPI) is made available for carrying out additional checks on the authorisation request, after the Connect2id server has completed the standard validation. You can use it to plug in your own custom rules for additional validation, or to perform some modification of the parameters.

The SPI is available since v11.2.

2. Authorisation request validator SPI

To plug in your own custom checks implement the AuthorizationRequestValidator SPI defined in the Connect2id server toolkit:

https://bitbucket.org/connect2id/server-sdk

Features of the authorisation request validator SPI:

  • Carry out additional validation of the authorisation request.
  • Carry out optional modification of the request parameters.
  • Provides access to the registered information for the client.
  • If the request is rejected allows setting of an error code and description, with the option to disable redirection back to the client with the error.

If the Connect2id server detects an SPI implementation it will log its loading under OP2113.

INFO main MAIN - [OP2113] Loaded authorization request validator: com.nimbusds.openid.connect.provider.spi.authz.impl.SampleAuthzValidator

3. Example

Sample validator to check if the submitted authorisation request scope values are present in the OAuth 2.0 client registration. Note, for OpenID the AuthorizationRequest will be an instance of AuthenticationRequest and can be cast to it if needed.

import com.nimbusds.oauth2.sdk.*;
import com.nimbusds.openid.connect.sdk.rp.OIDCClientInformation;
import com.nimbusds.openid.connect.provider.spi.authz.*;

public class ScopeValidator implements AuthorizationRequestValidator {

    @Override
    public AuthorizationRequest validateAuthorizationRequest(
        final AuthorizationRequest authzRequest,
        final ValidatorContext validatorCtx)

        throws InvalidAuthorizationRequestException {

        OIDCClientInformation clientInfo = validatorCtx.getOIDCClientInformation();

        if (clientInfo.getMetadata().getScope() == null ||
            ! clientInfo.getMetadata().getScope().containsAll(authzRequest.getScope())) {

            Scope unacceptedScope = new Scope(authzRequest.getScope());
            unacceptedScope.removeAll(clientInfo.getMetadata().getScope());

            String msg = "Scope not accepted: " + unacceptedScope;

            throw new InvalidAuthorizationRequestException(
                msg, // will be logged
                OAuth2Error.INVALID_SCOPE.setDescription(msg),
                false // redirection not disabled
            );
        }

        return authzRequest; // pass
    }
}

4. Support

Our Connect2id support team is available if you need help with integrating a custom authorisation request validator.