Interface WebSSOEligibilityChecker
public interface WebSSOEligibilityChecker
Service Provider Interface (SPI) for plugging additional checks whether an
OAuth 2.0 authorisation / OpenID authentication request is eligible for
single sign-on (SSO), after the Connect2id server has completed its own
checks.
Prior to calling this SPI the Connect2id server ensures the following conditions are met for a request to be eligible for SSO:
- A subject (end-user) session is present.
- The subject session authentication lifetime (
auth_life), if specified for the session, has not expired. - If the request is an OpenID authentication request with a
maximum authentication age (
max_age) or an ACR level (acr_values), that the subject session satisfies them. - If a particular user identity is required (via an
id_token_hint), that it matches session subject. - The request doesn't specify a prompt
login,select_accountorcreate. - A Connect2id server configuration doesn't trigger an authentication prompt.
If the OAuth 2.0 authorisation / OpenID authentication request is
eligible for SSO the check method returns true.
Else the method returns false, to cause the Connect2id server to
prompt the end-user for authentication.
Implementations must be thread-safe.
-
Method Summary
Modifier and TypeMethodDescriptionbooleanisEligible(com.nimbusds.oauth2.sdk.AuthorizationRequest authzRequest, com.nimbusds.openid.connect.sdk.rp.OIDCClientInformation clientInfo, SubjectSession subjectSession, CheckerContext checkerCtx) Checks whether the specified OAuth 2.0 authorisation / OpenID authentication request is eligible for SSO.
-
Method Details
-
isEligible
boolean isEligible(com.nimbusds.oauth2.sdk.AuthorizationRequest authzRequest, com.nimbusds.openid.connect.sdk.rp.OIDCClientInformation clientInfo, SubjectSession subjectSession, CheckerContext checkerCtx) Checks whether the specified OAuth 2.0 authorisation / OpenID authentication request is eligible for SSO.- Parameters:
authzRequest- The authorisation request. Can be cast toAuthenticationRequestfor an instance of an OpenID authentication request. Notnull.clientInfo- The registered client information for theclient_id. Notnull.subjectSession- The subject session. Notnull.checkerCtx- The checker context. Notnull.- Returns:
trueif the request is eligible for SSO,falseif not and cause the Connect2id server to prompt the end-user for authentication.
-