Package com.nimbusds.openid.connect.provider.spi.authz

Interface AuthorizationRequestValidator

All Superinterfaces:
Lifecycle
@ThreadSafe public interface AuthorizationRequestValidator extends Lifecycle
Service Provider Interface (SPI) for performing additional validation of OAuth 2.0 authorisation / OpenID authentication requests.

The validateAuthorizationRequest(com.nimbusds.oauth2.sdk.AuthorizationRequest, com.nimbusds.openid.connect.provider.spi.authz.ValidatorContext) method will be called after the Connect2id server has performed standard validation of the OAuth 2.0 authorisation / OpenID authentication request, such as checking the client_id and redirect_uri. JWT-secured authorisation requests (JAR) will be unwrapped / resolved before that. The original raw request can be obtained from the context.

The validated request can be returned modified. Modifications should be limited to optional parameters. Parameters such as client_id, response_type, redirect_uri and state must not be modified.

The validateAuthorizationRequest(com.nimbusds.oauth2.sdk.AuthorizationRequest, com.nimbusds.openid.connect.provider.spi.authz.ValidatorContext) method can reject the request by throwing a InvalidAuthorizationRequestException with an appropriate error code and optional description. When the request is rejected the redirection back to the OAuth 2.0 client can also optionally be disabled.

Example: 

 throw new InvalidAuthorizationRequestException(
        "Scope not accepted", // will be logged
        OAuth2Error.INVALID_SCOPE.setDescription("Scope not accepted: some_scope"),
      false // redirection not disabled
 );

Example resulting response: 

 HTTP/1.1 302 Found
 Location: https://client.example.com/cb?
  error=invalid_scope
  &error_description=Scope%20not%20accepted%3A%20some_scope
  &state=UeFi0Eu3siPaJahl

Implementations must be thread-safe.

  • Method Summary

    Modifier and Type
    Method
    Description
    com.nimbusds.oauth2.sdk.AuthorizationRequest
    validateAuthorizationRequest(com.nimbusds.oauth2.sdk.AuthorizationRequest authzRequest, ValidatorContext validatorCtx)
    Validates the specified OAuth 2.0 authorisation / OpenID authentication request.

    Methods inherited from interface com.nimbusds.openid.connect.provider.spi.Lifecycle

    init, isEnabled, shutdown

  • Method Details

    • validateAuthorizationRequest

      com.nimbusds.oauth2.sdk.AuthorizationRequest validateAuthorizationRequest(com.nimbusds.oauth2.sdk.AuthorizationRequest authzRequest, ValidatorContext validatorCtx) throws InvalidAuthorizationRequestException
      Validates the specified OAuth 2.0 authorisation / OpenID authentication request.
      Parameters:
      authzRequest - The request to perform additional validation on. Can be cast to AuthenticationRequest for an instance of an OpenID authentication request. Not null.
      validatorCtx - The authorisation request validator context. Not null.
      Returns:
      The validated OAuth 2.0 authorisation / OpenID authentication request. It may be modified. Must not be null.
      Throws:
      InvalidAuthorizationRequestException - If the request is rejected.