Interface ScopeValidator

  • All Known Implementing Classes:
    OpenAMScopeValidator

    public interface ScopeValidator
    Provided as extension points to allow the OAuth2 provider to customise the requested scope of authorize, access token and refresh token requests and to allow the OAuth2 provider to return additional data from these endpoints as well.
    Since:
    12.0.0
    • Method Detail

      • validateAuthorizationScope

        Set<String> validateAuthorizationScope​(ClientRegistration clientRegistration,
                                               Set<String> scope,
                                               OAuth2Request request)
                                        throws InvalidScopeException,
                                               ServerException
        Provided as an extension point to allow the OAuth2 provider to customise the scope requested when authorization is requested.
        Parameters:
        clientRegistration - The client registration.
        scope - The requested scope.
        request - The OAuth2 request.
        Returns:
        The updated scope used in the remaining OAuth2 process.
        Throws:
        InvalidScopeException - If the requested scope is invalid, unknown, or malformed.
        ServerException - If any internal server error occurs.
      • validateAccessTokenScope

        Set<String> validateAccessTokenScope​(ClientRegistration clientRegistration,
                                             Set<String> scope,
                                             OAuth2Request request)
                                      throws InvalidScopeException,
                                             ServerException
        Provided as an extension point to allow the OAuth2 provider to customise the scope requested when an access token is requested.
        Parameters:
        clientRegistration - The client registration.
        scope - The requested scope.
        request - The OAuth2 request.
        Returns:
        The updated scope used in the remaining OAuth2 process.
        Throws:
        InvalidScopeException - If the requested scope is invalid, unknown, or malformed.
        ServerException - If any internal server error occurs.
      • validateRefreshTokenScope

        Set<String> validateRefreshTokenScope​(ClientRegistration clientRegistration,
                                              Set<String> requestedScope,
                                              Set<String> tokenScope,
                                              OAuth2Request request)
                                       throws ServerException,
                                              InvalidScopeException
        Provided as an extension point to allow the OAuth2 provider to customise the scope requested when a refresh token is requested.
        Parameters:
        clientRegistration - The client registration.
        requestedScope - The requested scope.
        tokenScope - The scope from the access token.
        request - The OAuth2 request.
        Returns:
        The updated scope used in the remaining OAuth2 process.
        Throws:
        InvalidScopeException - If the requested scope is invalid, unknown, or malformed.
        ServerException - If any internal server error occurs.
      • evaluateScope

        Map<String,​Object> evaluateScope​(AccessToken accessToken)
        Gets the specified access token's information.
        Parameters:
        accessToken - The access token.
        Returns:
        A Map<String, Object> of the access token's information.
      • additionalDataToReturnFromAuthorizeEndpoint

        Map<String,​String> additionalDataToReturnFromAuthorizeEndpoint​(Map<String,​Token> tokens,
                                                                             OAuth2Request request)
        Provided as an extension point to allow the OAuth2 provider to return additional data from an authorization request.
        Parameters:
        tokens - The tokens that will be returned from the authorization call.
        request - The OAuth2 request.
        Returns:
        A Map<String, String> of the additional data to return.
      • additionalDataToReturnFromTokenEndpoint

        void additionalDataToReturnFromTokenEndpoint​(AccessToken accessToken,
                                                     OAuth2Request request)
                                              throws ServerException,
                                                     InvalidClientException,
                                                     NotFoundException
        Provided as an extension point to allow the OAuth2 provider to return additional data from an access token request.
        Any additional data to be returned should be added to the access token by invoking, AccessToken#addExtraData(String, String).
        Parameters:
        accessToken - The access token.
        request - The OAuth2 request.
        Throws:
        ServerException - If any internal server error occurs.
        InvalidClientException - If either the request does not contain the client's id or the client fails to be authenticated.
        NotFoundException - If the realm does not have an OAuth 2.0 provider service.