oauth2.dev

require_signed_request_object

IETF

Registry Context

Lets a client require its authorization requests to conform to JAR and disallows unsigned Request Objects using `alg` value `none`.

Technical Summary

The boolean client metadata `require_signed_request_object` defaults to false when omitted. When true, the authorization server rejects authorization requests from that client that do not conform to RFC 9101 and rejects Request Objects using `alg` value `none`.

When Used

When JAR protections must be enforced for a specific client to prevent downgrade to an unprotected RFC 6749 authorization request.

Normative Requirements

Clients

MAY
1
  1. RFC 9101 - Section 10.5

    Use signed Request Objects when the `require_signed_request_object` metadata values are absent..

    Condition: Provided that the client and server mutually support a signing algorithm.

    the client MAY use signed Request Objects

Authorization servers

MUST
2
  1. RFC 9101 - Section 10.5

    Reject an authorization request from the client if it does not conform to RFC 9101..

    Condition: When the client's `require_signed_request_object` metadata value is true.

    server MUST reject the authorization request from the client that does not conform to this specification

  2. RFC 9101 - Section 10.5

    Reject an authorization request whose Request Object uses an `alg` value of `none`..

    Condition: In the client-metadata case when `require_signed_request_object` is true.

    It MUST also reject the request if the Request Object uses an alg value of none

Validation Guidance

error

When the client's `require_signed_request_object` value is true, reject authorization requests from that client that do not conform to RFC 9101.

error

When the client's `require_signed_request_object` value is true, reject Request Objects using `alg` value `none`.

info

Treat an omitted client `require_signed_request_object` value as false.

info

A client may use signed Request Objects when this metadata is absent if the client and server mutually support a signing algorithm.

Security Notes

RFC 9101 - Section 10.5

Without requiring JAR, an attacker can use an RFC 6749 authorization request to bypass the protections provided by RFC 9101.

Reference

Details

Entry Id
require_signed_request_object
Client Metadata Name
require_signed_request_object
Client Metadata Description
Indicates where authorization request needs to be protected as Request Object and provided through either request or request_uri parameter.
Change Controller
IETF
Reference
RFC9101 - Section 10.5