Pushed Authorisation Request (PAR) validator SPI

1. Additional validation of PAR requests

The PAR endpoint of the Connect2id server authenticates the client (if confidential) and performs all standard checks on the pushed authorisation request, such as ensuring the overall validity of the request and the client being registered for the requested response_type. If the client submitted a JWT-secured request (JAR), it will be validated and unwrapped.

A plugin interface (SPI) is made available for carrying out additional checks on the pushed authorisation request, after the Connect2id server has completed the standard validation. You can use it to plug in your own custom rules for additional validation, or to perform some modification of the parameters.

The SPI is available since v8.0.

2. PAR validator SPI

To plug in your own custom checks implement the PARValidator SPI defined in the Connect2id server toolkit:

Git repohttps://bitbucket.org/connect2id/server-sdk

Features of the PAR validator SPI:

  • Perform additional validation of the pushed authorisation request.
  • Perform optional modification of the request parameters.
  • Provides access to the registered information for the client.
  • If the request is rejected allows setting of an HTTP status code, error code and message.

If the Connect2id server detects an SPI implementation it will log its loading under OP6604.

INFO main MAIN - [OP6604] Loaded PAR validator: com.nimbusds.openid.connect.provider.spi.par.impl.SamplePARValidator

3. Example

Sample PAR validator to check if the submitted authorisation request scope values are present in the OAuth 2.0 client registration. Note, for OpenID the AuthorizationRequest will be an instance of AuthenticationRequest and can be cast to it if needed.

import com.nimbusds.oauth2.sdk.*;
import com.nimbusds.openid.connect.sdk.rp.OIDCClientInformation;
import com.nimbusds.openid.connect.provider.spi.par.*;

public class ScopeValidator implements PARValidator {

    @Override
    public AuthorizationRequest validatePushedAuthorizationRequest(
        final AuthorizationRequest authzRequest,
        final ValidatorContext validatorCtx)

        throws InvalidPushedAuthorizationRequestException {

        OIDCClientInformation clientInfo = validatorCtx.getOIDCClientInformation();

        if (clientInfo.getMetadata().getScope() == null ||
            ! clientInfo.getMetadata().getScope().containsAll(authzRequest.getScope())) {

            Scope unacceptedScope = new Scope(authzRequest.getScope());
            unacceptedScope.removeAll(clientInfo.getMetadata().getScope());

            String msg = "Scope not accepted: " + unacceptedScope;

                throw new InvalidPushedAuthorizationRequestException(
                    msg, // will be logged
                    OAuth2Error.INVALID_SCOPE.setHTTPStatusCode(400).setDescription(msg)
                );
        }

        return authzRequest; // pass
    }
}