oauth2.dev

require_signed_request_object

IETF

Registry Context

Boolean authorization server metadata indicating whether every client must use JAR-compliant authorization requests. When true, the server rejects nonconforming requests and Request Objects that use `alg=none`.

Technical Summary

RFC 9101 defines `require_signed_request_object` separately as authorization server metadata and client metadata. For the server metadata value, `true` requires rejection of authorization requests from any client that does not conform to JAR and rejection of Request Objects using `alg=none`. The default is `false` when omitted.

When Used

Used by an authorization server to require JAR-compliant authorization requests and prohibit unsigned Request Objects using `alg=none`.

Normative Requirements

Clients

MAY
1
  1. RFC 9101 - Section 10.5

    use signed Request Objects when mutually supported signing algorithms are available.

    Condition: Even when `require_signed_request_object` metadata values are absent

    the client MAY use signed Request Objects, provided that there are signing algorithms mutually supported by the client and the server

Authorization servers

MUST
2
  1. RFC 9101 - Section 10.5

    reject an authorization request from any client that does not conform to RFC 9101.

    Condition: When the authorization server metadata value is true

    the server MUST reject the authorization request from any client that does not conform to this specification

  2. RFC 9101 - Section 10.5

    reject a request if its Request Object uses an `alg` value of `none`.

    Condition: When the authorization server metadata value is true

    It MUST also reject the request if the Request Object uses an alg value of none

Validation Guidance

error

When `require_signed_request_object` is `true` in authorization server metadata, verify that the server rejects authorization requests from any client that do not conform to RFC 9101.

error

When `require_signed_request_object` is `true` in authorization server metadata, verify that the server rejects Request Objects using `alg=none`.

info

Do not interpret omission of `require_signed_request_object` as prohibiting clients from using signed Request Objects when mutually supported signing algorithms are available.

Security Notes

RFC 9101 - Section 10.5

Requiring JAR prevents attackers from using ordinary RFC 6749 authorization requests to bypass the protections provided by RFC 9101.

Reference

Details

Entry Id
require_signed_request_object
Metadata Name
require_signed_request_object
Metadata Description
Indicates where authorization request needs to be protected as Request Object and provided through either request or request_uri parameter.
Change Controller
IETF
Reference
RFC9101 - Section 10.5