Class OidcClientRegistrationAuthenticationValidator
java.lang.Object
org.springframework.security.oauth2.server.authorization.oidc.authentication.OidcClientRegistrationAuthenticationValidator
- All Implemented Interfaces:
Consumer<OidcClientRegistrationAuthenticationContext>
public final class OidcClientRegistrationAuthenticationValidator
extends Object
implements Consumer<OidcClientRegistrationAuthenticationContext>
A
Consumer providing access to the
OidcClientRegistrationAuthenticationContext containing an
OidcClientRegistrationAuthenticationToken and is the default
authentication validator used for validating specific OpenID Connect 1.0 Dynamic
Client Registration Request parameters.
The default implementation validates redirect_uris, post_logout_redirect_uris, jwks_uri, and
scope. If validation fails, an
OAuth2AuthenticationException is thrown.
Each validated field is backed by two public constants:
DEFAULT_*_VALIDATOR- strict validation that rejects unsafe values. This is the default behavior and may reject input that was previously accepted.SIMPLE_*_VALIDATOR- lenient validation preserving the behavior from prior releases. Use only when strictly required for backward compatibility and with full understanding that it may accept values that enable attacks against the authorization server.
-
Field Summary
FieldsModifier and TypeFieldDescriptionstatic final Consumer<OidcClientRegistrationAuthenticationContext>The default validator forjwks_uri.static final Consumer<OidcClientRegistrationAuthenticationContext>The default validator forpost_logout_redirect_uris.static final Consumer<OidcClientRegistrationAuthenticationContext>The default validator forredirect_uris.static final Consumer<OidcClientRegistrationAuthenticationContext>The default validator forscope.static final Consumer<OidcClientRegistrationAuthenticationContext>The simple validator forjwks_urithat preserves prior behavior (no validation).static final Consumer<OidcClientRegistrationAuthenticationContext>The simple validator forpost_logout_redirect_uristhat preserves prior behavior (fragment-only check).static final Consumer<OidcClientRegistrationAuthenticationContext>The simple validator forredirect_uristhat preserves prior behavior (fragment-only check).static final Consumer<OidcClientRegistrationAuthenticationContext>The simple validator forscopethat preserves prior behavior (accepts any scope). -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionvoidaccept(OidcClientRegistrationAuthenticationContext authenticationContext)
-
Field Details
-
DEFAULT_REDIRECT_URI_VALIDATOR
public static final Consumer<OidcClientRegistrationAuthenticationContext> DEFAULT_REDIRECT_URI_VALIDATORThe default validator forredirect_uris. Rejects URIs that contain a fragment, have no scheme (e.g. protocol-relative//host/path), or use an unsafe scheme (javascript,data,vbscript). -
SIMPLE_REDIRECT_URI_VALIDATOR
public static final Consumer<OidcClientRegistrationAuthenticationContext> SIMPLE_REDIRECT_URI_VALIDATORThe simple validator forredirect_uristhat preserves prior behavior (fragment-only check). Use only when backward compatibility is required; values that enable open redirect and XSS attacks may be accepted. -
DEFAULT_POST_LOGOUT_REDIRECT_URI_VALIDATOR
public static final Consumer<OidcClientRegistrationAuthenticationContext> DEFAULT_POST_LOGOUT_REDIRECT_URI_VALIDATORThe default validator forpost_logout_redirect_uris. Applies the same rules asDEFAULT_REDIRECT_URI_VALIDATOR. -
SIMPLE_POST_LOGOUT_REDIRECT_URI_VALIDATOR
public static final Consumer<OidcClientRegistrationAuthenticationContext> SIMPLE_POST_LOGOUT_REDIRECT_URI_VALIDATORThe simple validator forpost_logout_redirect_uristhat preserves prior behavior (fragment-only check). Use only when backward compatibility is required; values that enable XSS attacks on the authorization server origin may be accepted. -
DEFAULT_JWK_SET_URI_VALIDATOR
public static final Consumer<OidcClientRegistrationAuthenticationContext> DEFAULT_JWK_SET_URI_VALIDATORThe default validator forjwks_uri. Rejects URIs that do not use thehttpsscheme. -
SIMPLE_JWK_SET_URI_VALIDATOR
public static final Consumer<OidcClientRegistrationAuthenticationContext> SIMPLE_JWK_SET_URI_VALIDATORThe simple validator forjwks_urithat preserves prior behavior (no validation). Use only when backward compatibility is required; values that enable SSRF attacks may be accepted. -
DEFAULT_SCOPE_VALIDATOR
The default validator forscope. Rejects any request that includes a non-empty scope value. Deployers that need to accept scopes during Dynamic Client Registration must configure their own validator (for example by chaining on top ofSIMPLE_SCOPE_VALIDATOR). -
SIMPLE_SCOPE_VALIDATOR
The simple validator forscopethat preserves prior behavior (accepts any scope). Use only when backward compatibility is required; values that enable arbitrary scope injection may be accepted.
-
-
Constructor Details
-
OidcClientRegistrationAuthenticationValidator
public OidcClientRegistrationAuthenticationValidator()
-
-
Method Details
-
accept
- Specified by:
acceptin interfaceConsumer<OidcClientRegistrationAuthenticationContext>
-