OPCustomRedirectUriValidation
Since version 4.2.0, the OAUTH2.PAR, OIDC.SSO and OAUTH2.Token profiles support injecting a custom validation logic for the redirect_uri -parameter in the request. The bean specified via customRedirectUriValidationStrategy
must be of type BiPredicate<URI,ProfileRequestContext>
where the first parameter contains the requested redirect_uri value.
An abstract bean shibboleth.oidc.MetadataPolicyRedirectUriValidator
is useful for exploiting metadata policies in validation.
The following example accepts the requested value is either https://rp.example.org/cb1
or https://rp.example.org/cb2
:
<bean id="CustomValidator1" parent="shibboleth.oidc.MetadataPolicyRedirectUriValidator">
<property name="metadataPolicy">
<bean class="net.shibboleth.oidc.metadata.policy.MetadataPolicy"
p:oneOfValues="#{{'https://rp.example.org/cb1','https://rp.exmaple.org/cb2'}}" />
</property>
</bean>
The following example accepts any requested value starting with https://rp.example.org/
:
<bean id="CustomValidator2" parent="shibboleth.oidc.MetadataPolicyRedirectUriValidator">
<property name="metadataPolicy">
<bean class="net.shibboleth.oidc.metadata.policy.MetadataPolicy"
p:regexp="^https:\/\/(?:([^.]+).)?rp.example.org\/(.*)"/>
</property>
</bean>
Â