require_ signed_ request_ object
Registry Context
Lets a client require its authorization requests to conform to JAR and disallows unsigned Request Objects using `alg` value `none`.
Technical Summary
The boolean client metadata `require_signed_request_object` defaults to false when omitted. When true, the authorization server rejects authorization requests from that client that do not conform to RFC 9101 and rejects Request Objects using `alg` value `none`.
When Used
When JAR protections must be enforced for a specific client to prevent downgrade to an unprotected RFC 6749 authorization request.
Normative Requirements
Clients
RFC 9101 - Section 10.5
Use signed Request Objects when the `require_signed_request_object` metadata values are absent..
Condition: Provided that the client and server mutually support a signing algorithm.
the client MAY use signed Request Objects
Authorization servers
RFC 9101 - Section 10.5
Reject an authorization request from the client if it does not conform to RFC 9101..
Condition: When the client's `require_signed_request_object` metadata value is true.
server MUST reject the authorization request from the client that does not conform to this specification
RFC 9101 - Section 10.5
Reject an authorization request whose Request Object uses an `alg` value of `none`..
Condition: In the client-metadata case when `require_signed_request_object` is true.
It MUST also reject the request if the Request Object uses an alg value of none
Validation Guidance
When the client's `require_signed_request_object` value is true, reject authorization requests from that client that do not conform to RFC 9101.
When the client's `require_signed_request_object` value is true, reject Request Objects using `alg` value `none`.
Treat an omitted client `require_signed_request_object` value as false.
A client may use signed Request Objects when this metadata is absent if the client and server mutually support a signing algorithm.
Security Notes
RFC 9101 - Section 10.5
Without requiring JAR, an attacker can use an RFC 6749 authorization request to bypass the protections provided by RFC 9101.
Reference
Details
- Entry Id
require_signed_ request_ object - Client Metadata Name
require_signed_ request_ object - Client Metadata Description
Indicates where authorization request needs to be protected as Request Object and provided through either request or request_uri parameter. - Change Controller
IETF- Reference
RFC9101 - Section 10.5