Feat: Validate redirect_uri based on software statement assertion

JanssenProject / jans

An open source enterprise digital identity platform for CIAM or workforce... Janssen is a distribution of standards-based, developer friendly, components that are engineered to work together in any cloud. #OAuth #OpenID #FIDO

https://docs.jans.io

Apache License 2.0

460 stars 73 forks source link

Feat: Validate redirect_uri based on software statement assertion #548

Closed yuriyz closed 3 years ago

yuriyz commented 3 years ago

Describe the issue

Feat: Validate redirect_uri based on software statement assertion

Support: 9854

yuriyz commented 3 years ago

Validation code will be added to io.jans.as.server.service.external.context.DynamicClientRegistrationContext. Idea is to have different validation and common methods inside context which is easy to call from custom script.

E.g. in custom script context.validateSSA() which can perform all common validations.

Lets say customer does not wish to perform all SSA validations and wish only SSA redirect_uris validation, then it will look like: context.validateSSARedirectUri().

validateSSA() - must perform all common validation, e.g. issuer validations, redirect_uri validations. It encapsulates other validation methods
validateSSARedirectUri() - validates SSA redirect uris matches to request redirect uris.
validateSSAIssuer() - validates SSA issuer

...

public void validateSSA() {
validateSSANotNull();
validateSSARedirectUri();
validateIssuer();    
...
}

yuriyz commented 3 years ago

@nynymike @Milton-Ch I've started to work on SSA redirect uri validations for openbanking and it seems to intersect with re-design document https://github.com/JanssenProject/jans-auth-server/wiki/Dynamic-Client-Registration-Re-Design

I guess we can encapsulate most of requirements inside DynamicClientRegistrationContext and implement in java side, however still allow to modify these "building blocks" from custom script. By default we should perform all common validations. Thoughts?

yuriyz commented 3 years ago

Implemented. Added to DynamicClientRegistrationContext following methods :

validateSSA() - performs all common SSA validation. For now it has validateSSARedirectUri() but it will be extended with more methods as described in https://github.com/JanssenProject/jans-auth-server/issues/154
validateSSARedirectUri() - performs check whether requested redirect_uris match to SSA redirect_uri's defined in software_redirect_uris SSA claim.
validateSSARedirectUri(String ssaRedirectUriClaimName) - performs redirect_uris against custom claims name (for case when redirect uris are not in software_redirect_uris claim within SSA)