Custom Request Object Validator
Writing a Custom Request Object Validator¶
A Request Object contains authentication and authorization request parameters in a self-contained JWT. It is used in the authorization endpoint of WSO2 Identity Server. Banks can use this authorization endpoint to redirect the bank customer to authenticate and approve/deny consents before an API consumer accesses financial information.
In WSO2 Open Banking Accelerator, the Request Object validator uses its existing validation layer to enforce validations. By default, it consists of 3 validations:
@RequiredParameter
checks if the Request Object is signed.@ValidScopeFormat
checks if the scope claim contains an OpenID Connect(OIDC) scope.@ValidAudience
checks if the audience claim matches the token endpoint URL.@ValidSigningAlgorithm
checks if the correct signing algorithm is used.
For more information on the validation layer in WSO2 Open Banking Accelerator, see Validation Layer.
You can extend the default validations in WSO2 Open Banking Accelerator and add more validations according to your open banking requirement:
-
To implement a custom Request Object validator, extend the following class:
com.wso2.openbanking.accelerator.identity.auth.extensions.request.validator.OBRequestObjectValidator
-
Add the required validations as annotations to the model.
Note
For annotations, you can use:
- Hibernate Validator Library
- WSO2 Open Banking Accelerator
- Custom annotations
-
Extend
OBRequestObjectValidator
and create your own class.
validateOBConstraints method¶
This method performs the custom validations you add. Given below is the method signature:
public ValidationResponse validateOBConstraints(OBRequestObject obRequestObject, Map<String, Object> dataMap)
Note
The dataMap
parameter contains data related to scope validation at the moment. This dataMap
parameter provides
the scope registered for the service provider application. Therefore, this can be used to validate the scopes given
in the Request Object according to your requirement.
-
Type cast
OBRequestObject
to your own model using the following sample:UKRequestObject ukRequestObject = new UKRequestObject(obRequestObject);
-
To make sure the default validations of the Request Object executes, validate your new model, which is inherited from
obRequestObject
as follows:String error = OpenBankingValidator.getInstance().getFirstViolation(yourInheritedNewModel);
Configuring a custom Request Object Validator¶
-
Make sure the following configuration exists in
<IS_HOME>/repository/conf/deployment.toml
:[oauth.oidc.extensions] request_object_validator = "com.wso2.openbanking.accelerator.identity.auth.extensions.request.validator.OBRequestObjectValidationExtension"
-
Update the following configuration in
<IS_HOME>/repository/conf/deployment.toml
with your extended class:[open_banking.identity.extensions] request_object_validator = "your.extended.class"