Interface PARValidator
-
- All Superinterfaces:
Lifecycle
@ThreadSafe public interface PARValidator extends Lifecycle
Service Provider Interface (SPI) for performing additional validation of Pushed Authorisation Requests (PAR).The
validatePushedAuthorizationRequest(com.nimbusds.oauth2.sdk.AuthorizationRequest, com.nimbusds.openid.connect.provider.spi.par.ValidatorContext)
method will be called after the Connect2id server has performed standard validation of the OAuth 2.0 authorisation / OpenID authentication request, such as such as checking theclient_id
and ensuring the client is authorised to use the OAuth 2.0 grant. JWT-secured authorisation requests (JAR) will be unwrapped / resolved before that.The validated request can be returned modified. Modifications should be limited to optional parameters. Parameters such as
client_id
,response_type
,redirect_uri
andstate
must not be modified.The
validatePushedAuthorizationRequest(com.nimbusds.oauth2.sdk.AuthorizationRequest, com.nimbusds.openid.connect.provider.spi.par.ValidatorContext)
method can reject the request by throwing anInvalidPushedAuthorizationRequestException
with an appropriate HTTP status code and error code. The exception message will be logged and not output to the client.Example:
throw new InvalidPARException("Scope not accepted scope", // will be logged OAuth2Error.INVALID_SCOPE .setHTTPStatusCode(400) .setDescription("Scope not accepted: some_scope"));
The resulting HTTP response:HTTP/1.1 400 Bad Request Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "error" : "invalid_scope", "error_description" : "Scope not accepted: some_scope" }
Implementations must be thread-safe.
-
-
Method Summary
All Methods Instance Methods Default Methods Deprecated Methods Modifier and Type Method Description default void
validate(com.nimbusds.oauth2.sdk.AuthorizationRequest authzRequest, ValidatorContext validatorCtx)
Deprecated.default com.nimbusds.oauth2.sdk.AuthorizationRequest
validatePushedAuthorizationRequest(com.nimbusds.oauth2.sdk.AuthorizationRequest authzRequest, ValidatorContext validatorCtx)
Validates the specified OAuth 2.0 authorisation / OpenID authentication request.
-
-
-
Method Detail
-
validate
@Deprecated default void validate(com.nimbusds.oauth2.sdk.AuthorizationRequest authzRequest, ValidatorContext validatorCtx) throws com.nimbusds.oauth2.sdk.GeneralException
Deprecated.Validates the specified OAuth 2.0 authorisation / OpenID authentication request.Deprecated, use
validatePushedAuthorizationRequest(com.nimbusds.oauth2.sdk.AuthorizationRequest, com.nimbusds.openid.connect.provider.spi.par.ValidatorContext)
instead.- Parameters:
authzRequest
- The request to perform additional validation on. Can be cast toAuthenticationRequest
for an instance of an OpenID authentication request. Notnull
.validatorCtx
- The PAR validator context. Notnull
.- Throws:
com.nimbusds.oauth2.sdk.GeneralException
- If the request is rejected. Should include an appropriate HTTP status and error code.
-
validatePushedAuthorizationRequest
default com.nimbusds.oauth2.sdk.AuthorizationRequest validatePushedAuthorizationRequest(com.nimbusds.oauth2.sdk.AuthorizationRequest authzRequest, ValidatorContext validatorCtx) throws InvalidPushedAuthorizationRequestException
Validates the specified OAuth 2.0 authorisation / OpenID authentication request.- Parameters:
authzRequest
- The request to perform additional validation on. Can be cast toAuthenticationRequest
for an instance of an OpenID authentication request. Notnull
.validatorCtx
- The PAR validator context. Notnull
.- Returns:
- The validated OAuth 2.0 authorisation / OpenID
authentication request. It may be modified. Must not be
null
. - Throws:
InvalidPushedAuthorizationRequestException
- If the request is rejected.
-
-