com.nimbusds.openid.connect.provider.spi.par

Interface PARValidator

@ThreadSafe
public interface PARValidator

Service Provider Interface (SPI) for performing additional validation of Pushed Authorisation Requests (PAR).

The validatePushedAuthorizationRequest(com.nimbusds.oauth2.sdk.AuthorizationRequest, com.nimbusds.openid.connect.provider.spi.par.ValidatorContext) method will be called after the Connect2id server has performed standard validation of the OAuth 2.0 authorisation / OpenID authentication request, such as such as checking the client_id and ensuring the client is authorised to use the OAuth 2.0 grant. JWT-secured authorisation requests (JAR) will be unwrapped / resolved before that.

The validated request can be returned modified. Modifications should be limited to optional parameters. Parameters such as client_id, response_type, redirect_uri and state must not be modified.

The validatePushedAuthorizationRequest(com.nimbusds.oauth2.sdk.AuthorizationRequest, com.nimbusds.openid.connect.provider.spi.par.ValidatorContext) method can reject the request by throwing an InvalidPushedAuthorizationRequestException with an appropriate HTTP status code and error code. The exception message will be logged and not output to the client.

Example:

 throw new InvalidPARException("Scope not accepted scope", // will be logged
        OAuth2Error.INVALID_SCOPE
        .setHTTPStatusCode(400)
        .setDescription("Scope not accepted: some_scope"));
 

The resulting HTTP response:

 HTTP/1.1 400 Bad Request
 Content-Type: application/json;charset=UTF-8
 Cache-Control: no-store
 Pragma: no-cache

 {
   "error"             : "invalid_scope",
   "error_description" : "Scope not accepted: some_scope"
 }
 

Implementations must be thread-safe.

Method Summary

Modifier and Type	Method and Description
default void	validate(com.nimbusds.oauth2.sdk.AuthorizationRequest authzRequest, ValidatorContext validatorCtx) Deprecated.
default com.nimbusds.oauth2.sdk.AuthorizationRequest	validatePushedAuthorizationRequest(com.nimbusds.oauth2.sdk.AuthorizationRequest authzRequest, ValidatorContext validatorCtx) Validates the specified OAuth 2.0 authorisation / OpenID authentication request.

Method Detail

validate

@Deprecated
default void validate(com.nimbusds.oauth2.sdk.AuthorizationRequest authzRequest,
                                  ValidatorContext validatorCtx)
                           throws com.nimbusds.oauth2.sdk.GeneralException

Deprecated.

Validates the specified OAuth 2.0 authorisation / OpenID authentication request.

Deprecated, use validatePushedAuthorizationRequest(com.nimbusds.oauth2.sdk.AuthorizationRequest, com.nimbusds.openid.connect.provider.spi.par.ValidatorContext) instead.

Parameters:

authzRequest - The request to perform additional validation on. Can be cast to AuthenticationRequest for an instance of an OpenID authentication request. Not null.

validatorCtx - The PAR validator context. Not null.

Throws:

com.nimbusds.oauth2.sdk.GeneralException - If the request is rejected. Should include an appropriate HTTP status and error code.

validatePushedAuthorizationRequest

default com.nimbusds.oauth2.sdk.AuthorizationRequest validatePushedAuthorizationRequest(com.nimbusds.oauth2.sdk.AuthorizationRequest authzRequest,
                                                                                        ValidatorContext validatorCtx)
                                                                                 throws InvalidPushedAuthorizationRequestException

Validates the specified OAuth 2.0 authorisation / OpenID authentication request.

Parameters:

authzRequest - The request to perform additional validation on. Can be cast to AuthenticationRequest for an instance of an OpenID authentication request. Not null.

validatorCtx - The PAR validator context. Not null.

Returns:

The validated OAuth 2.0 authorisation / OpenID authentication request. It may be modified. Must not be null.

Throws:

InvalidPushedAuthorizationRequestException - If the request is rejected.