OPCustomRedirectUriValidation

Since version 4.2.0, the OAUTH2.PAR, OIDC.SSO and OAUTH2.Token profiles support injecting a custom validation logic for the redirect_uri -parameter in the request. The bean specified via customRedirectUriValidationStrategy must be of type BiPredicate<URI,ProfileRequestContext> where the first parameter contains the requested redirect_uri value.

An abstract bean shibboleth.oidc.MetadataPolicyRedirectUriValidator is useful for exploiting metadata policies in validation.

The following example accepts the requested value is either https://rp.example.org/cb1 or https://rp.example.org/cb2:

<bean id="CustomValidator1" parent="shibboleth.oidc.MetadataPolicyRedirectUriValidator"> <property name="metadataPolicy"> <bean class="net.shibboleth.oidc.metadata.policy.MetadataPolicy" p:oneOfValues="#{{'https://rp.example.org/cb1','https://rp.exmaple.org/cb2'}}" /> </property> </bean>

The following example accepts any requested value starting with https://rp.example.org/:

<bean id="CustomValidator2" parent="shibboleth.oidc.MetadataPolicyRedirectUriValidator"> <property name="metadataPolicy"> <bean class="net.shibboleth.oidc.metadata.policy.MetadataPolicy" p:regexp="^https:\/\/(?:([^.]+).)?rp.example.org\/(.*)"/> </property> </bean>

Â