Package org.forgerock.oauth2.core
Interface ScopeValidator
-
@SupportedAll public interface ScopeValidator
Provided as extension points to allow the OAuth2 provider to customise the requested scope of authorize, access token and refresh token requests and to allow the OAuth2 provider to return additional data from these endpoints as well.- Since:
- 12.0.0
-
-
Method Summary
All Methods Instance Methods Abstract Methods Default Methods Modifier and Type Method Description Map<String,String>
additionalDataToReturnFromAuthorizeEndpoint(Map<String,Token> tokens, OAuth2Request request)
Provided as an extension point to allow the OAuth2 provider to return additional data from an authorization request.void
additionalDataToReturnFromTokenEndpoint(AccessToken accessToken, OAuth2Request request)
Provided as an extension point to allow the OAuth2 provider to return additional data from an access token request.Map<String,Object>
evaluateScope(AccessToken accessToken)
Gets the specified access token's information.UserInfoClaims
getUserInfo(ClientRegistration clientRegistration, AccessToken token, OAuth2Request request)
Gets the resource owners information based on an issued access token.default void
modifyAccessToken(AccessToken accessToken, OAuth2Request request)
Allows modification of the OAuth2 access token before the token is persisted/returned to the client.Set<String>
validateAccessTokenScope(ClientRegistration clientRegistration, Set<String> scope, OAuth2Request request)
Provided as an extension point to allow the OAuth2 provider to customise the scope requested when an access token is requested.Set<String>
validateAuthorizationScope(ClientRegistration clientRegistration, Set<String> scope, OAuth2Request request)
Provided as an extension point to allow the OAuth2 provider to customise the scope requested when authorization is requested.Set<String>
validateBackChannelAuthorizationScope(ClientRegistration clientRegistration, Set<String> requestedScopes, OAuth2Request request)
Provided as an extension point to allow the OAuth2 provider to customize the scope requested when performing a client initiated back channel authentication.Set<String>
validateRefreshTokenScope(ClientRegistration clientRegistration, Set<String> requestedScope, Set<String> tokenScope, OAuth2Request request)
Provided as an extension point to allow the OAuth2 provider to customise the scope requested when a refresh token is requested.
-
-
-
Method Detail
-
validateAuthorizationScope
Set<String> validateAuthorizationScope(ClientRegistration clientRegistration, Set<String> scope, OAuth2Request request) throws org.forgerock.oauth2.core.exceptions.InvalidScopeException, org.forgerock.oauth2.core.exceptions.ServerException
Provided as an extension point to allow the OAuth2 provider to customise the scope requested when authorization is requested.- Parameters:
clientRegistration
- The client registration.scope
- The requested scope.request
- The OAuth2 request.- Returns:
- The updated scope used in the remaining OAuth2 process.
- Throws:
org.forgerock.oauth2.core.exceptions.InvalidScopeException
- If the requested scope is invalid, unknown, or malformed.org.forgerock.oauth2.core.exceptions.ServerException
- If any internal server error occurs.
-
validateAccessTokenScope
Set<String> validateAccessTokenScope(ClientRegistration clientRegistration, Set<String> scope, OAuth2Request request) throws org.forgerock.oauth2.core.exceptions.InvalidScopeException, org.forgerock.oauth2.core.exceptions.ServerException
Provided as an extension point to allow the OAuth2 provider to customise the scope requested when an access token is requested.- Parameters:
clientRegistration
- The client registration.scope
- The requested scope.request
- The OAuth2 request.- Returns:
- The updated scope used in the remaining OAuth2 process.
- Throws:
org.forgerock.oauth2.core.exceptions.InvalidScopeException
- If the requested scope is invalid, unknown, or malformed.org.forgerock.oauth2.core.exceptions.ServerException
- If any internal server error occurs.
-
validateRefreshTokenScope
Set<String> validateRefreshTokenScope(ClientRegistration clientRegistration, Set<String> requestedScope, Set<String> tokenScope, OAuth2Request request) throws org.forgerock.oauth2.core.exceptions.ServerException, org.forgerock.oauth2.core.exceptions.InvalidScopeException
Provided as an extension point to allow the OAuth2 provider to customise the scope requested when a refresh token is requested.- Parameters:
clientRegistration
- The client registration.requestedScope
- The requested scope.tokenScope
- The scope from the access token.request
- The OAuth2 request.- Returns:
- The updated scope used in the remaining OAuth2 process.
- Throws:
org.forgerock.oauth2.core.exceptions.InvalidScopeException
- If the requested scope is invalid, unknown, or malformed.org.forgerock.oauth2.core.exceptions.ServerException
- If any internal server error occurs.
-
validateBackChannelAuthorizationScope
Set<String> validateBackChannelAuthorizationScope(ClientRegistration clientRegistration, Set<String> requestedScopes, OAuth2Request request) throws org.forgerock.oauth2.core.exceptions.InvalidScopeException, org.forgerock.oauth2.core.exceptions.ServerException
Provided as an extension point to allow the OAuth2 provider to customize the scope requested when performing a client initiated back channel authentication.- Parameters:
clientRegistration
- The client registration.requestedScopes
- The requested scope.request
- The OAuth2 request.- Returns:
- The updated scope used in the remaining OAuth2 process.
- Throws:
org.forgerock.oauth2.core.exceptions.InvalidScopeException
- If the requested scope is invalid, unknown or malformed.org.forgerock.oauth2.core.exceptions.ServerException
- If any internal server error occurs.
-
getUserInfo
UserInfoClaims getUserInfo(ClientRegistration clientRegistration, AccessToken token, OAuth2Request request) throws org.forgerock.oauth2.core.exceptions.UnauthorizedClientException, org.forgerock.oauth2.core.exceptions.NotFoundException, org.forgerock.oauth2.core.exceptions.ServerException, InvalidRequestException
Gets the resource owners information based on an issued access token.- Parameters:
clientRegistration
- The client registration.token
- The access token.request
- The OAuth2 request.- Returns:
- A
Map<String, Object>
of the resource owner's information. - Throws:
org.forgerock.oauth2.core.exceptions.UnauthorizedClientException
- If the client's authorization fails.org.forgerock.oauth2.core.exceptions.NotFoundException
- If the realm does not have an OAuth 2.0 provider service.org.forgerock.oauth2.core.exceptions.ServerException
- If the client's authorization fails due to a server error.InvalidRequestException
- If the client's authorization fails.
-
evaluateScope
Map<String,Object> evaluateScope(AccessToken accessToken)
Gets the specified access token's information.- Parameters:
accessToken
- The access token.- Returns:
- A
Map<String, Object>
of the access token's information.
-
additionalDataToReturnFromAuthorizeEndpoint
Map<String,String> additionalDataToReturnFromAuthorizeEndpoint(Map<String,Token> tokens, OAuth2Request request)
Provided as an extension point to allow the OAuth2 provider to return additional data from an authorization request.- Parameters:
tokens
- The tokens that will be returned from the authorization call.request
- The OAuth2 request.- Returns:
- A
Map<String, String>
of the additional data to return.
-
additionalDataToReturnFromTokenEndpoint
void additionalDataToReturnFromTokenEndpoint(AccessToken accessToken, OAuth2Request request) throws org.forgerock.oauth2.core.exceptions.ServerException, org.forgerock.oauth2.core.exceptions.InvalidClientException, org.forgerock.oauth2.core.exceptions.NotFoundException
Provided as an extension point to allow the OAuth2 provider to return additional data from an access token request.
Any additional data to be returned should be added to the access token by invoking, AccessToken#addExtraData(String, String).- Parameters:
accessToken
- The access token.request
- The OAuth2 request.- Throws:
org.forgerock.oauth2.core.exceptions.ServerException
- If any internal server error occurs.org.forgerock.oauth2.core.exceptions.InvalidClientException
- If either the request does not contain the client's id or the client fails to be authenticated.org.forgerock.oauth2.core.exceptions.NotFoundException
- If the realm does not have an OAuth 2.0 provider service.
-
modifyAccessToken
default void modifyAccessToken(AccessToken accessToken, OAuth2Request request) throws org.forgerock.oauth2.core.exceptions.NotFoundException, org.forgerock.oauth2.core.exceptions.ServerException, org.forgerock.oauth2.core.exceptions.UnauthorizedClientException
Allows modification of the OAuth2 access token before the token is persisted/returned to the client.- Parameters:
accessToken
- The access token.request
- The OAuth2 request.- Throws:
org.forgerock.oauth2.core.exceptions.NotFoundException
- If the realm does not have an OAuth 2.0 provider service.org.forgerock.oauth2.core.exceptions.ServerException
- If any internal server error occurs.org.forgerock.oauth2.core.exceptions.UnauthorizedClientException
- If the client identity cannot be obtained.
-
-