Source code

001package com.nimbusds.openid.connect.provider.spi.authz;
002
003
004import net.jcip.annotations.ThreadSafe;
005
006import com.nimbusds.oauth2.sdk.AuthorizationRequest;
007
008
009/**
010 * Service Provider Interface (SPI) for performing additional validation of
011 * OAuth 2.0 authorisation / OpenID authentication requests.
012 *
013 * <p>The {@link #validateRequest} method will be called after the Connect2id
014 * server has performed standard validation of the OAuth 2.0 authorisation /
015 * OpenID authentication request, such as such as checking the
016 * {@code client_id} and {@code redirect_uri}. JWT-secured authorisation
017 * requests (JAR) will be unwrapped / resolved before that.
018 *
019 * <p>The validated request can be returned modified. Modifications should be
020 * limited to optional parameters. Parameters such as {@code client_id},
021 * {@code response_type}, {@code redirect_uri} and {@code state} must not be
022 * modified.
023 *
024 * <p>The {@link #validateRequest} method can reject the request by throwing a
025 * {@link InvalidAuthorizationRequestException} with an appropriate error code
026 * and optional description. When the request is rejected the redirection back
027 * to the OAuth 2.0 client can also optionally be disabled.
028 *
029 * <p>Example:
030 *
031 * <pre>
032 * throw new InvalidAuthorizationRequestException(
033 *      "Scope not accepted", // will be logged
034 *      OAuth2Error.INVALID_SCOPE.setDescription("Scope not accepted: some_scope"),
035 *      false // redirection not disabled
036 * );
037 * </pre>
038 *
039 * <p>Example resulting response:
040 *
041 * <pre>
042 * HTTP/1.1 302 Found
043 * Location: https://client.example.com/cb?
044 *  error=invalid_scope
045 *  &error_description=Scope%20not%20accepted%3A%20some_scope
046 *  &state=UeFi0Eu3siPaJahl
047 * </pre>
048 *
049 * <p>Implementations must be thread-safe.
050 */
051@ThreadSafe
052public interface AuthorizationRequestValidator {
053        
054        
055        /**
056         * Validates the specified OAuth 2.0 authorisation / OpenID
057         * authentication request.
058         *
059         * @param authzRequest The request to perform additional validation on.
060         *                     Can be cast to
061         *                     {@link com.nimbusds.openid.connect.sdk.AuthenticationRequest}
062         *                     for an instance of an OpenID authentication
063         *                     request.
064         *                     Not {@code null}.
065         * @param validatorCtx The authorisation request validator context. Not
066         *                     {@code null}.
067         *
068         * @return The validated OAuth 2.0 authorisation / OpenID
069         * authentication request. It may be modified. Must not be
070         * {@code null}.
071         *
072         * @throws InvalidAuthorizationRequestException If the request is
073         *                                              rejected.
074         */
075        AuthorizationRequest validateRequest(final AuthorizationRequest authzRequest,
076                                             final ValidatorContext validatorCtx)
077                throws InvalidAuthorizationRequestException;
078}