Client metadata validator SPI

1. Overview

When a new OAuth 2.0 client or OpenID Connect relying party gets registered with the Connect2id server a series of standard checks will be performed on the supplied metadata, such as checking if any supplied redirection URI(s) are legal.

A plugin interface (SPI) is made available for carrying out additional checks on the metadata, after the Connect2id server has completed the standard validation. You can use it to plug in your own custom rules for additional validation and shaping of the client metadata.

2. Client metadata validator SPI

To plug in your own custom checks implement the FinalMetadataValidator SPI defined in the Connect2id server toolkit:

Git repohttps://bitbucket.org/connect2id/server-sdk

Features of the validator SPI:

  • Allows carrying out additional validation of the metadata.
  • Allows shaping (modification) of the metadata.
  • Provides information about the type of authorisation credential used at the registration endpoint (master, initial or registration token, open registration).
  • Provides an initialisation method, e.g. for configuration purposes.

If the Connect2id server detects an SPI implementation it will log its loading under OP5177.

INFO main MAIN - [OP5177] Loaded final OAuth 2.0 client metadata validator: class=com.nimbusds.openid.connect.provider.spi.reg.impl.SampleValidator enabled=true
INFO main MAIN - [OP5177] Loaded final OAuth 2.0 client metadata validator: class=com.nimbusds.openid.connect.provider.spi.reg.impl.OtherSampleValidator enabled=false

3. Included implementation

The Connect2id server includes a simple internal implementation which checks if the hostname of the logo_uri and policy_uri parameters (if set) matches a host in the redirect_uris (if set), according to OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 1, section 9.1.

These additional checks are enabled by default in the included configuration file:

/WEB-INF/additionalClientMetadataChecks.properties

You can override the setting by editing the configuration file or with a simple Java system property override:

-Dop.additionalClientMetadataChecks.enable=true