Custom Pushed Auth Request Validator
A pushed authorization request contains authentication and authorization
request parameters, which will be used in the Pushed Authorization endpoint
of WSO2 Open Banking Accelerator. The Pushed Authorization endpoint returns
a request_uri
with an expiration time as a reference to the details sent
in the pushed authorization request.
Default Pushed Authorization Request validations¶
The Pushed Auth Request Validator uses the existing validation layer of WSO2 Open Banking Accelerator to enforce validations. By default, the following validations are available in the validation layer:
- Repeated parameter validation for all parameters: checks the pushed authorization request body for any repeated parameters
When the request
parameter is available:
Note
The request
parameter value which will be referred to as request object
from here onwards should be a
Signed JWT(JWS) or an Encrypted JWT(JWE). It can be signed and encrypted as well. In this scenario, it must
be signed before being encrypted.
-
Validation of form body parameters - verifies that only client authentication parameters (such as
client_id
,client_assertion
,client_assertion_type
) are present in the request form body. Other parameters must be included in the request object. -
Validation of client id - validates the
client id
claim of the request object. -
Validation of redirect URI - validates the redirect URI to check whether it matches with the registered redirect URIs.
-
Validation of request object signature algorithm - checks if the correct signing algorithm is used.
-
Validation of request object signature - verifies the signature of the request object.
-
Validation of the nonce claim - checks whether the nonce claim is available for response types requesting
id_token
. -
Validation of the scope claim - checks whether the scope claim contains scopes that are registered with the client application.
-
Validation of the audience claim - checks if the audience claim matches the token endpoint URL.
-
Validation of the issuer claim - checks whether the issuer claim matches the client_id.
-
Validation of invalid claims in request object - check whether the
request
andrequest_uri
claims are present in the request object.
Writing a Custom Pushed Auth Request Validator¶
You can extend the default validations in WSO2 Open Banking Accelerator and add more validations according to your open banking requirements:
- To implement a custom Pushed Auth Request validator, extend the following class:
com.wso2.openbanking.accelerator.identity.push.auth.extension.request.validator.PushAuthRequestValidator
Given below is a brief explanation of the methods you need to implement.
validateAdditionalParams method¶
This method performs the additional validations you add. Given below is the method signature:
public void validateAdditionalParams(Map<String, Object> parameters) throws PushAuthRequestValidatorException
Input parameters
Map<String, Object> parameters
- contains pushed authorization request parameters obtained from the HTTP servlet request
Output parameter
void
Note
When a valid request object is present as a request parameter, the default implementation of the accelerator
decodes the request object JWT and adds the following parameters to the Map
- Key -
"decodedJWTBody"
, Value -<decoded request object JWT body>
- Key -
"decodedJWTHeader"
, Value -<decoded request object JWT header>
For example:
- Extend the
PushAuthRequestValidator
class and override thevalidateAdditionalParams
method in your extended class as follows:
@Override
public void validateAdditionalParams(Map<String, Object> parameters) throws PushAuthRequestValidatorException {
JSONObject requestObjectJsonBody;
if (parameters.containsKey(“decodedJWTBody”) &&
parameters.get(“decodedJWTBody”) instanceof JSONObject) {
requestObjectJsonBody = (JSONObject) parameters.get(“decodedJWTBody”);
} else {
log.error("Invalid push authorisation request");
throw new PushAuthRequestValidatorException(HttpStatus.SC_BAD_REQUEST,
“invalid_request”, "Invalid push authorisation request");
}
if (!isValidSharingDuration(requestObjectJsonBody)) {
log.error("Invalid sharing_duration value");
throw new PushAuthRequestValidatorException(HttpStatus.SC_BAD_REQUEST,
“invalid_request”, "Invalid sharing_duration value");
}
}
private boolean isValidSharingDuration(JSONObject requestObjectJsonBody) {
String sharingDurationString = StringUtils.EMPTY;
JSONObject claims = requestObjectJsonBody.get(“claims”) != null ?
(JSONObject) requestObjectJsonBody.get(“claims”) : null;
if (claims != null && claims.containsKey(“sharing_duration”)
&& StringUtils.isNotBlank(claims.getAsString(“sharing_duration”))) {
sharingDurationString = claims.getAsString(“sharing_duration”);
}
int sharingDuration = sharingDurationString.isEmpty() ? 0 : Integer.parseInt(sharingDurationString);
//If the sharing_duration value is negative then the authorisation should fail.
return sharingDuration >= 0;
}
createErrorResponse method¶
This method allows you to modify error responses. Given below is the method signature:
public PushAuthErrorResponse createErrorResponse(int httpStatusCode, String errorCode, String errorDescription)
Input parameters
-
int httpStatusCode
- the HTTP status code -
String errorCode
- the error code according to the open banking specification. For example,inavlid_request
-
String errorDescription
- an appropriate error description
Output parameter
PushAuthErrorResponse
- the model class for error response
The PushAuthErrorResponse
model class contains the following fields:
private int httpStatusCode
private JSONObject payload
Model class:
public class PushAuthErrorResponse {
private int httpStatusCode = 0;
private JSONObject payload = null;
public int getHttpStatusCode() {
return httpStatusCode;
}
public void setHttpStatusCode(int httpStatusCode) {
this.httpStatusCode = httpStatusCode;
}
public JSONObject getPayload() {
return payload;
}
public void setPayload(JSONObject payload) {
this.payload = payload;
}
}
For example:
public PushAuthErrorResponse createErrorResponse(int httpStatusCode, String errorCode, String errorDescription) {
PushAuthErrorResponse pushAuthErrorResponse = new PushAuthErrorResponse();
JSONObject errorResponse = new JSONObject();
errorResponse.put("error_description", errorDescription);
errorResponse.put("error”, errorCode);
pushAuthErrorResponse.setPayload(errorResponse);
pushAuthErrorResponse.setHttpStatusCode(httpStatusCode);
return pushAuthErrorResponse;
}
Once implemented, build a JAR file for the project.
Configuring a Custom Pushed Auth Request Validator¶
- Place the above-created JAR file in the
<IS_HOME>/repository/components/lib
directory. - Open the
<IS_HOME>/repository/conf/deployment.toml
file. -
Find the
[open_banking.identity.extensions]
tag and configure it using the Fully Qualified Name (FQN) of your custom Pushed Auth Request Validator. For example:[open_banking.identity.extensions] push_auth_request_validator="com.wso2.openbanking.accelerator.identity.push.auth.extension.request.validator.PushAuthRequestValidator"
-
Save the above configurations and restart the Identity Server.