Interface WebSSOEligibilityChecker


public interface WebSSOEligibilityChecker
Service Provider Interface (SPI) for plugging additional checks whether an OAuth 2.0 authorisation / OpenID authentication request is eligible for single sign-on (SSO), after the Connect2id server has completed its own checks.

Prior to calling this SPI the Connect2id server ensures the following conditions are met for a request to be eligible for SSO:

  • A subject (end-user) session is present.
  • The subject session authentication lifetime (auth_life), if specified for the session, has not expired.
  • If the request is an OpenID authentication request with a maximum authentication age (max_age) or an ACR level (acr_values), that the subject session satisfies them.
  • If a particular user identity is required (via an id_token_hint), that it matches session subject.
  • The request doesn't specify a prompt login, select_account or create.
  • A Connect2id server configuration doesn't trigger an authentication prompt.

If the OAuth 2.0 authorisation / OpenID authentication request is eligible for SSO the check method returns true. Else the method returns false, to cause the Connect2id server to prompt the end-user for authentication.

Implementations must be thread-safe.

  • Method Summary

    Modifier and Type
    Method
    Description
    boolean
    isEligible(com.nimbusds.oauth2.sdk.AuthorizationRequest authzRequest, com.nimbusds.openid.connect.sdk.rp.OIDCClientInformation clientInfo, SubjectSession subjectSession, CheckerContext checkerCtx)
    Checks whether the specified OAuth 2.0 authorisation / OpenID authentication request is eligible for SSO.
  • Method Details

    • isEligible

      boolean isEligible(com.nimbusds.oauth2.sdk.AuthorizationRequest authzRequest, com.nimbusds.openid.connect.sdk.rp.OIDCClientInformation clientInfo, SubjectSession subjectSession, CheckerContext checkerCtx)
      Checks whether the specified OAuth 2.0 authorisation / OpenID authentication request is eligible for SSO.
      Parameters:
      authzRequest - The authorisation request. Can be cast to AuthenticationRequest for an instance of an OpenID authentication request. Not null.
      clientInfo - The registered client information for the client_id. Not null.
      subjectSession - The subject session. Not null.
      checkerCtx - The checker context. Not null.
      Returns:
      true if the request is eligible for SSO, false if not and cause the Connect2id server to prompt the end-user for authentication.