OPCustomRedirectUriValidation

Since version 4.2.0, the OAUTH2.PAR, OIDC.SSO and OAUTH2.Token profiles support injecting a custom validation logic for the redirect_uri -parameter in the request. The bean specified via customRedirectUriValidationStrategy must be of type BiPredicate<URI,ProfileRequestContext> where the first parameter contains the requested redirect_uri value.

An abstract bean shibboleth.oidc.MetadataPolicyRedirectUriValidator is useful for exploiting metadata policies in validation.

The following example accepts the requested value is either https://rp.example.org/cb1 or https://rp.example.org/cb2:

<bean id="CustomValidator1" parent="shibboleth.oidc.MetadataPolicyRedirectUriValidator">
    <property name="metadataPolicy">
        <bean class="net.shibboleth.oidc.metadata.policy.MetadataPolicy"
            p:oneOfValues="#{{'https://rp.example.org/cb1','https://rp.exmaple.org/cb2'}}" />
    </property>
</bean>

The following example accepts any requested value starting with https://rp.example.org/:

<bean id="CustomValidator2" parent="shibboleth.oidc.MetadataPolicyRedirectUriValidator">
    <property name="metadataPolicy">
        <bean class="net.shibboleth.oidc.metadata.policy.MetadataPolicy"
            p:regexp="^https:\/\/(?:([^.]+).)?rp.example.org\/(.*)"/>
    </property>
</bean>