Verifies a call from a relying party, that the necessary data has been created by the initial authentication. The call must have been preceded by a successful OpenID Connect authentication. 

NOTE: This valve is important in terms of security!


Name Description Default value Mandatory Supports property expansion

Example Configuration

  "name": "OIDCTokenRequestValidationValve",
  "enabled": "true",
  "config": {


  • Session must be present in the flow. Loaded by prior execution.
  • Request must contain parameter client_id, code & redirect_uri.
  • The loaded session must contain an item matching the client_id. Typically, this is generated by the initial authentication.
  •  Parameter code must match the value with the same name provided by the authentication response in the initial authentication. 
  • Parameter redirect_uri  must match the value with the same name provided by the relying party in the initial authentication. 

General information

The session loaded is expected to contain an item generated by the authentication. This valve will copy the entire item from session to the flow for possible future use. The id of the item will be copied to an item parameter, subject_id.