Client metadata validator SPI
When a new OAuth 2.0 client or OpenID Connect relying party gets registered with the Connect2id server a series of standard checks will be performed on the supplied metadata, such as checking if any supplied redirection URI(s) are legal.
A plugin interface (SPI) is made available for carrying out additional checks on the metadata, after the Connect2id server has completed the standard validation. You can use it to plug in your own custom rules for additional validation and shaping of the client metadata.
The SPI is available since v7.10.
2. Client metadata validator SPI
To plug in your own custom checks implement the FinalMetadataValidator SPI defined in the Connect2id server toolkit:
Features of the validator SPI:
- Allows carrying out additional validation of the metadata.
- Allows shaping (modification) of the metadata.
- Provides information about the type of authorisation credential used at the registration endpoint (master, initial or registration token, open registration).
- Provides an initialisation method, e.g. for configuration purposes.
If the Connect2id server detects an SPI implementation it will log its loading
INFO main MAIN - [OP5177] Loaded final OAuth 2.0 client metadata validator: class=com.nimbusds.openid.connect.provider.spi.reg.impl.SampleValidator enabled=true INFO main MAIN - [OP5177] Loaded final OAuth 2.0 client metadata validator: class=com.nimbusds.openid.connect.provider.spi.reg.impl.OtherSampleValidator enabled=false
3. Included implementation
The Connect2id server includes a simple internal implementation which checks if the hostname of the logo_uri and policy_uri parameters (if set) matches a host in the redirect_uris (if set), according to OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 1, section 9.1.
These additional checks are enabled by default in the included configuration file:
You can override the setting by editing the configuration file or with a simple Java system property override: