Package net.shibboleth.idp.plugin.oidc.op.profile.impl

Class ValidateScope

java.lang.Object

net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

org.opensaml.profile.action.AbstractProfileAction

org.opensaml.profile.action.AbstractConditionalProfileAction

net.shibboleth.idp.profile.AbstractProfileAction

net.shibboleth.idp.plugin.oidc.op.profile.impl.AbstractOIDCRequestAction<com.nimbusds.openid.connect.sdk.AuthenticationRequest>

net.shibboleth.idp.plugin.oidc.op.profile.impl.AbstractOIDCAuthenticationRequestAction

net.shibboleth.idp.plugin.oidc.op.profile.impl.AbstractOIDCAuthenticationResponseAction

net.shibboleth.idp.plugin.oidc.op.profile.impl.ValidateScope

All Implemented Interfaces:

Component, DestructableComponent, InitializableComponent, ProfileAction, Aware, MessageSource, MessageSourceAware, Action

public class ValidateScope
extends AbstractOIDCAuthenticationResponseAction

Action that validates requested and previously granted scopes are also registered in client metadata and stores the resulting set in the response context.

Requested scopes come from the inbound message and are possible but optional for both authorization and token requests. They come from lookup functions aware of each message type.

Previously granted scopes are stored in the response context's slot for previous authorization grant claims. In the case where no scopes are explicitly requested, we still filter the previous grants against the metadata.

Explicitly requested scopes are also filtered against, and override, any scopes previously validated as part of an authorization grant claim set. If this occurs, any grant-borne claims are removed because the association to specific scopes is gone by this point.

The "offline_access" scope is ignored and stripped for the authentication endpoint unless the response type includes "code".

Field Summary

Fields

Modifier and Type	Field	Description
private Function<ProfileRequestContext,com.nimbusds.oauth2.sdk.Scope>	allowedScopeLookupStrategy	Strategy used to obtain the scope allowed for the client.
private org.slf4j.Logger	log	Class logger.
private Function<ProfileRequestContext,String>	relyingPartyIdLookupStrategy	Strategy used to obtain the relying party ID.
private Function<ProfileRequestContext,com.nimbusds.oauth2.sdk.Scope>	requestedScopeLookupStrategy	Strategy used to obtain the requested scope value.
private Function<ProfileRequestContext,OIDCAuthenticationResponseTokenClaimsContext>	tokenClaimsContextLookupStrategy	Strategy used to locate the OIDCAuthenticationResponseTokenClaimsContext.

Constructor Summary

Constructors

Constructor	Description
ValidateScope()	Constructor.

Method Summary

Modifier and Type	Method	Description
protected void	doExecute(ProfileRequestContext profileRequestContext)
void	setAllowedScopeLookupStrategy(Function<ProfileRequestContext,com.nimbusds.oauth2.sdk.Scope> strategy)	Set the strategy used to locate the allowed scope for the client.
void	setOIDCAuthenticationResponseTokenClaimsContextLookupStrategy(Function<ProfileRequestContext,OIDCAuthenticationResponseTokenClaimsContext> strategy)	Set the strategy used to locate the OIDCAuthenticationResponseTokenClaimsContext associated with a given ProfileRequestContext.
void	setRelyingPartyIdLookupStrategy(Function<ProfileRequestContext,String> strategy)	Set the strategy used to obtain the relying party ID.
void	setRequestedScopeLookupStrategy(Function<ProfileRequestContext,com.nimbusds.oauth2.sdk.Scope> strategy)	Set the strategy used to locate the requested scope to validate.

Methods inherited from class net.shibboleth.idp.plugin.oidc.op.profile.impl.AbstractOIDCAuthenticationResponseAction

doPreExecute, getMetadataContext, getOidcResponseContext

Methods inherited from class net.shibboleth.idp.plugin.oidc.op.profile.impl.AbstractOIDCAuthenticationRequestAction

getAuthenticationRequest

Methods inherited from class net.shibboleth.idp.plugin.oidc.op.profile.impl.AbstractOIDCRequestAction

getRequest

Methods inherited from class net.shibboleth.idp.profile.AbstractProfileAction

doExecute, execute, getMessage, getMessage, getMessage, getProfileContextLookupStrategy, getRequestContext, getResult, setMessageSource, setProfileContextLookupStrategy

Methods inherited from class org.opensaml.profile.action.AbstractConditionalProfileAction

getActivationCondition, setActivationCondition

Methods inherited from class org.opensaml.profile.action.AbstractProfileAction

doPostExecute, doPostExecute, execute, getHttpServletRequest, getHttpServletResponse, getLogPrefix, setHttpServletRequest, setHttpServletResponse

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

destroy, doDestroy, doInitialize, initialize, isDestroyed, isInitialized

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface net.shibboleth.utilities.java.support.component.InitializableComponent

initialize, isInitialized

Field Detail

log

@Nonnull
private org.slf4j.Logger log

Class logger.

relyingPartyIdLookupStrategy

@Nonnull
private Function<ProfileRequestContext,String> relyingPartyIdLookupStrategy

Strategy used to obtain the relying party ID.

requestedScopeLookupStrategy

@Nullable
private Function<ProfileRequestContext,com.nimbusds.oauth2.sdk.Scope> requestedScopeLookupStrategy

Strategy used to obtain the requested scope value.

allowedScopeLookupStrategy

@Nonnull
private Function<ProfileRequestContext,com.nimbusds.oauth2.sdk.Scope> allowedScopeLookupStrategy

Strategy used to obtain the scope allowed for the client.

tokenClaimsContextLookupStrategy

@Nonnull
private Function<ProfileRequestContext,OIDCAuthenticationResponseTokenClaimsContext> tokenClaimsContextLookupStrategy

Strategy used to locate the OIDCAuthenticationResponseTokenClaimsContext.

Constructor Detail

ValidateScope

public ValidateScope()

Constructor.

Method Detail

setRelyingPartyIdLookupStrategy

public void setRelyingPartyIdLookupStrategy(@Nonnull
                                            Function<ProfileRequestContext,String> strategy)

Set the strategy used to obtain the relying party ID.

Parameters:

strategy - lookup strategy

setRequestedScopeLookupStrategy

public void setRequestedScopeLookupStrategy(@Nullable
                                            Function<ProfileRequestContext,com.nimbusds.oauth2.sdk.Scope> strategy)

Set the strategy used to locate the requested scope to validate.

Parameters:

strategy - lookup strategy

setAllowedScopeLookupStrategy

public void setAllowedScopeLookupStrategy(@Nonnull
                                          Function<ProfileRequestContext,com.nimbusds.oauth2.sdk.Scope> strategy)

Set the strategy used to locate the allowed scope for the client.

Parameters:

strategy - lookup strategy

setOIDCAuthenticationResponseTokenClaimsContextLookupStrategy

public void setOIDCAuthenticationResponseTokenClaimsContextLookupStrategy(@Nonnull
                                                                          Function<ProfileRequestContext,OIDCAuthenticationResponseTokenClaimsContext> strategy)

Set the strategy used to locate the OIDCAuthenticationResponseTokenClaimsContext associated with a given ProfileRequestContext.

Parameters:

strategy - lookup strategy

doExecute

protected void doExecute(@Nonnull
                         ProfileRequestContext profileRequestContext)

Overrides:

doExecute in class AbstractProfileAction