Package org.springframework.security.oauth2.server.authorization.authentication

Class OAuth2ClientRegistrationAuthenticationValidator

java.lang.Object

org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientRegistrationAuthenticationValidator

All Implemented Interfaces:

Consumer<OAuth2ClientRegistrationAuthenticationContext>

public final class OAuth2ClientRegistrationAuthenticationValidator
extends Object
implements Consumer<OAuth2ClientRegistrationAuthenticationContext>

A Consumer providing access to the OAuth2ClientRegistrationAuthenticationContext containing an OAuth2ClientRegistrationAuthenticationToken and is the default authentication validator used for validating specific OAuth 2.0 Dynamic Client Registration Request parameters (RFC 7591).

The default implementation validates redirect_uris, jwks_uri, and scope. If validation fails, an OAuth2AuthenticationException is thrown.

Each validated field is backed by two public constants:

• DEFAULT_*_VALIDATOR -- strict validation that rejects unsafe values. This is the default behavior and may reject input that was previously accepted.
• SIMPLE_*_VALIDATOR -- lenient validation preserving the behavior from prior releases. Use only when strictly required for backward compatibility and with full understanding that it may accept values that enable attacks against the authorization server.

Since:

7.0.5

See Also:

• OAuth2ClientRegistrationAuthenticationContext
• OAuth2ClientRegistrationAuthenticationToken
• OAuth2ClientRegistrationAuthenticationProvider.setAuthenticationValidator(Consumer)

Field Summary

Fields

Modifier and Type	Field	Description
static final Consumer<OAuth2ClientRegistrationAuthenticationContext>	DEFAULT_JWK_SET_URI_VALIDATOR	The default validator for jwks_uri.
static final Consumer<OAuth2ClientRegistrationAuthenticationContext>	DEFAULT_REDIRECT_URI_VALIDATOR	The default validator for redirect_uris.
static final Consumer<OAuth2ClientRegistrationAuthenticationContext>	DEFAULT_SCOPE_VALIDATOR	The default validator for scope.
static final Consumer<OAuth2ClientRegistrationAuthenticationContext>	SIMPLE_JWK_SET_URI_VALIDATOR	The simple validator for jwks_uri that preserves prior behavior (no validation).
static final Consumer<OAuth2ClientRegistrationAuthenticationContext>	SIMPLE_REDIRECT_URI_VALIDATOR	The simple validator for redirect_uris that preserves prior behavior (fragment-only check).
static final Consumer<OAuth2ClientRegistrationAuthenticationContext>	SIMPLE_SCOPE_VALIDATOR	The simple validator for scope that preserves prior behavior (accepts any scope).

Constructor Summary

Constructors

Constructor	Description
OAuth2ClientRegistrationAuthenticationValidator()

Method Summary

Modifier and Type	Method	Description
void	accept(OAuth2ClientRegistrationAuthenticationContext authenticationContext)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface java.util.function.Consumer

andThen

Field Details

DEFAULT_REDIRECT_URI_VALIDATOR

public static final Consumer<OAuth2ClientRegistrationAuthenticationContext> DEFAULT_REDIRECT_URI_VALIDATOR

The default validator for redirect_uris. Rejects URIs that contain a fragment, have no scheme (e.g. protocol-relative //host/path), or use an unsafe scheme (javascript, data, vbscript).

SIMPLE_REDIRECT_URI_VALIDATOR

public static final Consumer<OAuth2ClientRegistrationAuthenticationContext> SIMPLE_REDIRECT_URI_VALIDATOR

The simple validator for redirect_uris that preserves prior behavior (fragment-only check). Use only when backward compatibility is required; values that enable open redirect and XSS attacks may be accepted.

DEFAULT_JWK_SET_URI_VALIDATOR

public static final Consumer<OAuth2ClientRegistrationAuthenticationContext> DEFAULT_JWK_SET_URI_VALIDATOR

The default validator for jwks_uri. Rejects URIs that do not use the https scheme.

SIMPLE_JWK_SET_URI_VALIDATOR

public static final Consumer<OAuth2ClientRegistrationAuthenticationContext> SIMPLE_JWK_SET_URI_VALIDATOR

The simple validator for jwks_uri that preserves prior behavior (no validation). Use only when backward compatibility is required; values that enable SSRF attacks may be accepted.

DEFAULT_SCOPE_VALIDATOR

public static final Consumer<OAuth2ClientRegistrationAuthenticationContext> DEFAULT_SCOPE_VALIDATOR

The default validator for scope. Rejects any request that includes a non-empty scope value. Deployers that need to accept scopes during Dynamic Client Registration must configure their own validator (for example, by chaining on top of SIMPLE_SCOPE_VALIDATOR).

SIMPLE_SCOPE_VALIDATOR

public static final Consumer<OAuth2ClientRegistrationAuthenticationContext> SIMPLE_SCOPE_VALIDATOR

The simple validator for scope that preserves prior behavior (accepts any scope). Use only when backward compatibility is required; values that enable arbitrary scope injection may be accepted.

Constructor Details

OAuth2ClientRegistrationAuthenticationValidator

public OAuth2ClientRegistrationAuthenticationValidator()

Method Details

accept

public void accept(OAuth2ClientRegistrationAuthenticationContext authenticationContext)

Specified by:

accept in interface Consumer<OAuth2ClientRegistrationAuthenticationContext>