Package net.shibboleth.idp.plugin.oidc.op.profile.impl

Class CheckRedirectURIs

  • All Implemented Interfaces:
    Component, DestructableComponent, InitializableComponent, ProfileAction, Aware, MessageSource, MessageSourceAware, Action
    public class CheckRedirectURIs
extends net.shibboleth.idp.profile.AbstractProfileAction

    The action that verifies the redirect_uris from the request. At least one must exist. Also, if sector_identifier_uri has been defined in the request, all the redirect_uris must exists from the contents behind the URI.

    The specification defines the following for application_type:

    Web Clients using the OAuth Implicit Grant Type MUST only register URLs using the https scheme as redirect_uris; they MUST NOT use localhost as the hostname. Native Clients MUST only register redirect_uris using custom URI schemes or URLs using the http: scheme with localhost as the hostname. Authorization Servers MAY place additional constraints on Native Clients. Authorization Servers MAY reject Redirection URI values using the http scheme, other than the localhost case for Native Clients.

    • Field Detail

      • log

        @Nonnull
private final org.slf4j.Logger log
        Class logger.

      • request

        @Nullable
private com.nimbusds.openid.connect.sdk.rp.OIDCClientRegistrationRequest request
        The OIDCClientRegistrationRequest to check redirect URIs from.

      • httpClient

        @NonnullAfterInit
private org.apache.http.client.HttpClient httpClient
        The HttpClient to use.

      • httpClientSecurityParameters

        @Nullable
private HttpClientSecurityParameters httpClientSecurityParameters
        HTTP client security parameters.

    • Constructor Detail

      • CheckRedirectURIs

        public CheckRedirectURIs()
        Constructor.

    • Method Detail

      • setHttpClient

        public void setHttpClient​(@Nonnull
                          org.apache.http.client.HttpClient client)
        Set the HttpClient to use.
        Parameters:
        client - client to use

      • setHttpClientSecurityParameters

        public void setHttpClientSecurityParameters​(@Nullable
                                            HttpClientSecurityParameters params)
        Set the optional client security parameters.
        Parameters:
        params - the new client security parameters

      • verifySectorIdUri

        protected boolean verifySectorIdUri​(URI sectorIdUri,
                                    Set<URI> redirectURIs)
        Verifies that all the given redirect URIs are found from the contents of the given sector identifier URI.
        Parameters:
        sectorIdUri - The sector identifier URI.
        redirectURIs - The redirect URIs to be verified.
        Returns:
        true if redirect URIs were found from the contents, false otherwise or if the contents could not be fetched.

      • checkScheme

        protected boolean checkScheme​(Set<URI> redirectURIs,
                              String scheme)
        Checks whether a given scheme is used by every item in the given set of URIs.
        Parameters:
        redirectURIs - The URIs to check from.
        scheme - The scheme to check.
        Returns:
        true if scheme was used in all URIs, false otherwise.

      • checkForbiddenScheme

        protected boolean checkForbiddenScheme​(Set<URI> redirectURIs,
                                       String scheme)
        Checks whether a given scheme is found from the given set of URIs.
        Parameters:
        redirectURIs - The URIs to check from.
        scheme - The scheme to check.
        Returns:
        true if scheme was found once or more, false otherwise.

      • checkForbiddenHostname

        protected boolean checkForbiddenHostname​(Set<URI> redirectURIs,
                                         String hostname)
        Checks whether a given hostname is found from the given set of URIs.
        Parameters:
        redirectURIs - The URIs to check from.
        hostname - The hostname to check.
        Returns:
        true if hostname was found once or more, false otherwise.