require_ signed_ request_ object
Registry Context
Boolean authorization server metadata indicating whether every client must use JAR-compliant authorization requests. When true, the server rejects nonconforming requests and Request Objects that use `alg=none`.
Technical Summary
RFC 9101 defines `require_signed_request_object` separately as authorization server metadata and client metadata. For the server metadata value, `true` requires rejection of authorization requests from any client that does not conform to JAR and rejection of Request Objects using `alg=none`. The default is `false` when omitted.
When Used
Used by an authorization server to require JAR-compliant authorization requests and prohibit unsigned Request Objects using `alg=none`.
Normative Requirements
Clients
RFC 9101 - Section 10.5
use signed Request Objects when mutually supported signing algorithms are available.
Condition: Even when `require_signed_request_object` metadata values are absent
the client MAY use signed Request Objects, provided that there are signing algorithms mutually supported by the client and the server
Authorization servers
RFC 9101 - Section 10.5
reject an authorization request from any client that does not conform to RFC 9101.
Condition: When the authorization server metadata value is true
the server MUST reject the authorization request from any client that does not conform to this specification
RFC 9101 - Section 10.5
reject a request if its Request Object uses an `alg` value of `none`.
Condition: When the authorization server metadata value is true
It MUST also reject the request if the Request Object uses an alg value of none
Validation Guidance
When `require_signed_request_object` is `true` in authorization server metadata, verify that the server rejects authorization requests from any client that do not conform to RFC 9101.
When `require_signed_request_object` is `true` in authorization server metadata, verify that the server rejects Request Objects using `alg=none`.
Do not interpret omission of `require_signed_request_object` as prohibiting clients from using signed Request Objects when mutually supported signing algorithms are available.
Security Notes
RFC 9101 - Section 10.5
Requiring JAR prevents attackers from using ordinary RFC 6749 authorization requests to bypass the protections provided by RFC 9101.
Reference
Details
- Entry Id
require_signed_ request_ object - Metadata Name
require_signed_ request_ object - Metadata Description
Indicates where authorization request needs to be protected as Request Object and provided through either request or request_uri parameter. - Change Controller
IETF- Reference
RFC9101 - Section 10.5