001package com.nimbusds.openid.connect.provider.spi.par; 002 003 004import net.jcip.annotations.ThreadSafe; 005 006import com.nimbusds.oauth2.sdk.AuthorizationRequest; 007import com.nimbusds.oauth2.sdk.GeneralException; 008 009 010/** 011 * Service Provider Interface (SPI) for performing additional validation of 012 * Pushed Authorisation Requests (PAR). 013 * 014 * <p>The {@link #validate} method will be called after the Connect2id server 015 * has performed standard validation of the OAuth 2.0 authorisation / OpenID 016 * authentication request, such as such as checking the {@code client_id} and 017 * ensuring the client is authorised the use the OAuth 2.0 grant. JWT-secured 018 * authorisation requests (JAR) will be unwrapped / resolved before that. 019 * 020 * <p>The {@link #validate} method can reject the request by throwing a 021 * {@link GeneralException} with an appropriate HTTP status code and error 022 * code. The exception message will be logged and not output to the client. 023 * 024 * <p>Example: 025 * 026 * <pre> 027 * throw new GeneralException("Scope not accepted scope", // will be logged 028 * OAuth2Error.INVALID_SCOPE 029 * .setHTTPStatusCode(400) 030 * .setDescription("Scope not accepted: some_scope")); 031 * </pre> 032 * 033 * The resulting HTTP response: 034 * 035 * <pre> 036 * HTTP/1.1 400 Bad Request 037 * Content-Type: application/json;charset=UTF-8 038 * Cache-Control: no-store 039 * Pragma: no-cache 040 * 041 * { 042 * "error" : "invalid_scope", 043 * "error_description" : "Scope not accepted: some_scope" 044 * } 045 * </pre> 046 * 047 * <p>Implementations must be thread-safe. 048 */ 049@ThreadSafe 050public interface PARValidator { 051 052 053 /** 054 * Validates the specified OAuth 2.0 authorisation / OpenID 055 * authentication request. 056 * 057 * @param authzRequest The request to perform additional validation on. 058 * Not {@code null}. 059 * @param validatorCtx The PAR validator context. Not {@code null}. 060 * 061 * @throws GeneralException If the request is rejected. Should include 062 * an appropriate HTTP status code and error 063 * code. 064 */ 065 void validate(final AuthorizationRequest authzRequest, final ValidatorContext validatorCtx) 066 throws GeneralException; 067}