Package org.forgerock.oauth2.core.plugins

Interface ScopeValidator

All Superinterfaces:
org.forgerock.oauth2.core.plugins.OAuth2Plugin
All Known Subinterfaces:
ScopeValidator
@Supported public interface ScopeValidator extends org.forgerock.oauth2.core.plugins.OAuth2Plugin
A plugin or (extension point) that allows the OAuth2 provider to customise the set of requested scopes for authorize, access token, refresh token and back channel authorize requests.

  • Method Summary

    Modifier and Type
    Method
    Description
    Set<String>
    validateAccessTokenScope(org.forgerock.oauth2.core.ClientRegistration clientRegistration, Set<String> scope, OAuth2Request request)
    Provided as an extension point to allow the OAuth2 provider to customise the scopes requested when an access token is requested.
    Set<String>
    validateAuthorizationScope(org.forgerock.oauth2.core.ClientRegistration clientRegistration, Set<String> scope, OAuth2Request request)
    Provided as an extension point to allow the OAuth2 provider to customise the scopes requested when authorization is requested.
    Set<String>
    validateBackChannelAuthorizationScope(org.forgerock.oauth2.core.ClientRegistration clientRegistration, Set<String> requestedScopes, OAuth2Request request)
    Provided as an extension point to allow the OAuth2 provider to customize the scopes requested when performing a client initiated back channel authentication.
    Set<String>
    validateRefreshTokenScope(org.forgerock.oauth2.core.ClientRegistration clientRegistration, Set<String> requestedScope, Set<String> tokenScope, OAuth2Request request)
    Provided as an extension point to allow the OAuth2 provider to customise the scopes requested when a refresh token is requested.

  • Method Details

    • validateAuthorizationScope

      @Supported Set<String> validateAuthorizationScope(org.forgerock.oauth2.core.ClientRegistration clientRegistration, Set<String> scope, OAuth2Request request) throws org.forgerock.oauth2.core.exceptions.InvalidScopeException, org.forgerock.oauth2.core.exceptions.ServerException
      Provided as an extension point to allow the OAuth2 provider to customise the scopes requested when authorization is requested.
      Parameters:
      clientRegistration - The client registration.
      scope - The requested scope.
      request - The OAuth2 request.
      Returns:
      The updated scope used in the remaining OAuth2 process.
      Throws:
      org.forgerock.oauth2.core.exceptions.InvalidScopeException - If the requested scope is invalid, unknown, or malformed.
      org.forgerock.oauth2.core.exceptions.ServerException - If any internal server error occurs.

    • validateAccessTokenScope

      @Supported Set<String> validateAccessTokenScope(org.forgerock.oauth2.core.ClientRegistration clientRegistration, Set<String> scope, OAuth2Request request) throws org.forgerock.oauth2.core.exceptions.InvalidScopeException, org.forgerock.oauth2.core.exceptions.ServerException
      Provided as an extension point to allow the OAuth2 provider to customise the scopes requested when an access token is requested.
      Parameters:
      clientRegistration - The client registration.
      scope - The requested scope.
      request - The OAuth2 request.
      Returns:
      The updated scope used in the remaining OAuth2 process.
      Throws:
      org.forgerock.oauth2.core.exceptions.InvalidScopeException - If the requested scope is invalid, unknown, or malformed.
      org.forgerock.oauth2.core.exceptions.ServerException - If any internal server error occurs.

    • validateRefreshTokenScope

      @Supported Set<String> validateRefreshTokenScope(org.forgerock.oauth2.core.ClientRegistration clientRegistration, Set<String> requestedScope, Set<String> tokenScope, OAuth2Request request) throws org.forgerock.oauth2.core.exceptions.ServerException, org.forgerock.oauth2.core.exceptions.InvalidScopeException
      Provided as an extension point to allow the OAuth2 provider to customise the scopes requested when a refresh token is requested.
      Parameters:
      clientRegistration - The client registration.
      requestedScope - The requested scope.
      tokenScope - The scope from the access token.
      request - The OAuth2 request.
      Returns:
      The updated scope used in the remaining OAuth2 process.
      Throws:
      org.forgerock.oauth2.core.exceptions.InvalidScopeException - If the requested scope is invalid, unknown, or malformed.
      org.forgerock.oauth2.core.exceptions.ServerException - If any internal server error occurs.

    • validateBackChannelAuthorizationScope

      @Supported Set<String> validateBackChannelAuthorizationScope(org.forgerock.oauth2.core.ClientRegistration clientRegistration, Set<String> requestedScopes, OAuth2Request request) throws org.forgerock.oauth2.core.exceptions.InvalidScopeException, org.forgerock.oauth2.core.exceptions.ServerException
      Provided as an extension point to allow the OAuth2 provider to customize the scopes requested when performing a client initiated back channel authentication.
      Parameters:
      clientRegistration - The client registration.
      requestedScopes - The requested scope.
      request - The OAuth2 request.
      Returns:
      The updated scope used in the remaining OAuth2 process.
      Throws:
      org.forgerock.oauth2.core.exceptions.InvalidScopeException - If the requested scope is invalid, unknown or malformed.
      org.forgerock.oauth2.core.exceptions.ServerException - If any internal server error occurs.