JWT-Secured Authorization Request

Introduction

JWT-Secured Authorization Request (JAR) is a mechanism used to securely push authorization parameters to an OIDC Provider in the form of a signed and optionally encrypted JSON Web Token (JWT). This addresses a few challenges:

  • Request is tamper-proof
  • Confidentiality can be maintained using an encrypted JWT

The JAR can be passed to the authorization request in two ways:

  • Inline, in a parameter called request
  • As a URI reference passed in a parameter called request_uri. This has the benefit that the JAR does not impact the length of the URL that can cause processing errors.

Long-lived request objects

The Client can choose to include immutable request parameters in the request JWT and cache it for a longer period in the request_uri location. Per request parameters, such as state and PKCE challenge, can be sent in the authorization request along with the request_uri parameter.

In this manner, the JWT does not need to be re-generated often.

However, the request_uri approach carries risks, such as request URI rewrite or a DDoS attack where the request_uri responds with a large payload.