stellar-sdk/com.soneso.stellar.sdk.sep.sep10.exceptions/InvalidWebAuthDomainException

InvalidWebAuthDomainException

class InvalidWebAuthDomainException(expected: String, actual: String?) : ChallengeValidationException

Exception thrown when a web_auth_domain operation has an invalid value.

SEP-10 Security Requirement: If a "web_auth_domain" ManageData operation is present, its value MUST match the host part of the authentication endpoint URL.

The web_auth_domain operation provides additional protection against URL confusion attacks:

  • It explicitly declares which domain is performing the authentication

  • It must match the host of the WEB_AUTH_ENDPOINT from stellar.toml

  • It prevents authentication servers from impersonating other domains

Example:

  • If WEB_AUTH_ENDPOINT is "https://api.example.com/auth"

  • Then web_auth_domain value MUST be "api.example.com"

Attack scenario prevented: Without this check, a compromised or malicious server could serve challenges claiming to be from a different domain, enabling sophisticated phishing attacks.

The web_auth_domain operation is optional but recommended. When present, it MUST be validated to ensure it matches the authentication endpoint's host.

Parameters

expected

The expected domain (from auth endpoint host)

actual

The actual web_auth_domain value found in the operation

Constructors

Link copied to clipboard
constructor(expected: String, actual: String?)

Properties

Link copied to clipboard
expect open val cause: Throwable?
Link copied to clipboard
expect open val message: String?
Generated by Dokka
© 2026 Copyright