Skip to main content
Version: v2.0 (latest)

Signed Authorization Requests (JAR)

Signed requests are the recommended way to call OIDC Web. Instead of passing the authorization parameters as a plain query string, your application wraps them in a JWT (the request object) signed with its private key. Your application then passes that JWT in the request parameter. OIDC Web verifies the signature against the public key registered for your client before doing anything else.

When to use it. Every production integration. Clients can be configured so that signed requests are mandatory; unsigned requests to such a client are rejected outright.

Advantages.

  • Tamper-proof. A modified parameter invalidates the signature; the request is rejected before any verification credit is spent.
  • Forgery-resistant. Only the holder of your registered private key can produce a request OIDC Web will honor. Attackers cannot mint authorization requests against your account.
  • Standard. Plain RFC 9101; supported by mainstream OIDC libraries.

For the implementation, see Signed Authorization Requests (JAR) in the User Guide.