Passing Request parameters as JWTs

Passing Request parameters as JWTs

The request Authorization Request parameter enables OpenID Connect requests to be passed in a single, self-contained parameter and to be optionally signed and/or encrypted. It represents the request as a JWT whose Claims are the request parameters specified in Section 3.1.2. This JWT is called a Request Object.
You can use either the request or the request_uri send a request object in an authorization request to Identify OAuth 2.0/OIDC authorization server.

Discovery endpoint

You can check the discovery endpoint of your Identify instance to see if it has support for the Request parameter feature:

Dynamic registration endpoint

The dynamic registration endpoint supports the request_uris parameter.
You can use it to pre-register request_uri values which your OIDC application uses.

UI to register the list of request_uris

In addition to the dynamic registration endpoint, you can register or update the request_uris through the Safewhere Admin interface.

request-object-ui

Request object

You can pass a request object either by the "request" or the "request_uri" parameter. The request object content can be signed (with the RS256) or not.

An example of a request parameter which has some parameters put in the request object and some others in the request url paremeters:

The request object is:

When an authorization request uses a valid request object but also put all the same parameters in the request url paremeters, the parameters in the request object takes precedence over the ones in url parameters:

The full list of those parameters are:

  • scope
  • max_age
  • response_mode
  • state
  • prompt
  • id_token_hint
  • nonce
  • redirect_uri
  • whr

Request object validation notes

When the user does a login to an OIDC application, Identify will stop at an error page (instead of redirecting the user to the application) if one of the following validation fails:

  • Invalid request object: [request] and [request_uri] can not be used in the same authorization request.
  • The Request URI must be an HTTPS schema URI.
  • The Request uri cannot be found in the pre-register request_uris.
  • Client id is not valid; client_id in request object must be the SAME as the one in OAuth request syntax.
  • Response type is not valid; response_type in request object must be the SAME as the one in OAuth request syntax.
  • The request and request_uri parameters MUST NOT be included in Request Objects.
  • It is unable to load jwt from request_uri.
  • Request Object Jwt cannot be read.
  • Missing 'alg' header value in the JWT.

If the JWT is signed, the following errors with corresponding error messages may occur:

  • Invalid setting: The jwks_uri and jwks parameters MUST NOT be used together.
  • It is unable to load jwks from "ClientJwksUri".
  • Invalid setting: Client jwks is not configured yet, please check the appropriate settings again.
  • Invalid setting: Signing credential which is used for signing the Request Object could not be found on client's jwks, please check the appropriate settings again.
  • The Request Object is not in JWS Compact serialized format.
  • The request object is invalid due to the following error: [Signing token validation failed message].