Source code

001package com.nimbusds.openid.connect.provider.spi.par;
002
003
004import net.jcip.annotations.ThreadSafe;
005
006import com.nimbusds.oauth2.sdk.AuthorizationRequest;
007import com.nimbusds.oauth2.sdk.GeneralException;
008
009
010/**
011 * Service Provider Interface (SPI) for performing additional validation of
012 * Pushed Authorisation Requests (PAR).
013 *
014 * <p>The {@link #validatePushedAuthorizationRequest} method will be called
015 * after the Connect2id server has performed standard validation of the OAuth
016 * 2.0 authorisation / OpenID authentication request, such as such as checking
017 * the {@code client_id} and ensuring the client is authorised to use the OAuth
018 * 2.0 grant. JWT-secured authorisation requests (JAR) will be unwrapped /
019 * resolved before that.
020 *
021 * <p>The validated request can be returned modified. Modifications should be
022 * limited to optional parameters. Parameters such as {@code client_id},
023 * {@code response_type}, {@code redirect_uri} and {@code state} must not be
024 * modified.
025 *
026 * <p>The {@link #validatePushedAuthorizationRequest} method can reject the
027 * request by throwing an {@link InvalidPushedAuthorizationRequestException}
028 * with an appropriate HTTP status code and error code. The exception message
029 * will be logged and not output to the client.
030 *
031 * <p>Example:
032 *
033 * <pre>
034 * throw new InvalidPARException("Scope not accepted scope", // will be logged
035 *      OAuth2Error.INVALID_SCOPE
036 *      .setHTTPStatusCode(400)
037 *      .setDescription("Scope not accepted: some_scope"));
038 * </pre>
039 *
040 * The resulting HTTP response:
041 *
042 * <pre>
043 * HTTP/1.1 400 Bad Request
044 * Content-Type: application/json;charset=UTF-8
045 * Cache-Control: no-store
046 * Pragma: no-cache
047 *
048 * {
049 *   "error"             : "invalid_scope",
050 *   "error_description" : "Scope not accepted: some_scope"
051 * }
052 * </pre>
053 *
054 * <p>Implementations must be thread-safe.
055 */
056@ThreadSafe
057public interface PARValidator {
058        
059        
060        /**
061         * Validates the specified OAuth 2.0 authorisation / OpenID
062         * authentication request.
063         *
064         * <p>Deprecated, use {@link #validatePushedAuthorizationRequest}
065         * instead.
066         *
067         * @param authzRequest The request to perform additional validation on.
068         *                     Can be cast to
069         *                     {@link com.nimbusds.openid.connect.sdk.AuthenticationRequest}
070         *                     for an instance of an OpenID authentication
071         *                     request.
072         *                     Not {@code null}.
073         * @param validatorCtx The PAR validator context. Not {@code null}.
074         *
075         * @throws GeneralException If the request is rejected. Should include
076         *                          an appropriate HTTP status and error code.
077         */
078        @Deprecated
079        default void validate(final AuthorizationRequest authzRequest, final ValidatorContext validatorCtx)
080                throws GeneralException {
081                
082                try {
083                        validatePushedAuthorizationRequest(authzRequest, validatorCtx);
084                } catch (InvalidPushedAuthorizationRequestException e) {
085                        throw new GeneralException(e.getMessage(), e.getErrorObject());
086                }
087        }
088        
089        
090        /**
091         * Validates the specified OAuth 2.0 authorisation / OpenID
092         * authentication request.
093         *
094         * @param authzRequest The request to perform additional validation on.
095         *                     Can be cast to
096         *                     {@link com.nimbusds.openid.connect.sdk.AuthenticationRequest}
097         *                     for an instance of an OpenID authentication
098         *                     request.
099         *                     Not {@code null}.
100         * @param validatorCtx The PAR validator context. Not {@code null}.
101         *
102         * @return The validated OAuth 2.0 authorisation / OpenID
103         * authentication request. It may be modified. Must not be
104         * {@code null}.
105         *
106         * @throws InvalidPushedAuthorizationRequestException If the request is
107         *                                                    rejected.
108         */
109        default AuthorizationRequest validatePushedAuthorizationRequest(final AuthorizationRequest authzRequest,
110                                                                        final ValidatorContext validatorCtx)
111                throws InvalidPushedAuthorizationRequestException {
112                
113                try {
114                        validate(authzRequest, validatorCtx);
115                } catch (GeneralException e) {
116                        throw new InvalidPushedAuthorizationRequestException(e.getMessage(), e.getErrorObject());
117                }
118                return authzRequest;
119        }
120}