OAuth 2.0 request object endpoint
Important: The request object endpoint is deprecated, use the Pushed Authorisation Endpoint (PAR) instead.
OpenID Connect introduced the concept of signed authorisation requests. The parameters are packaged into a JWT that is signed with JWS (and optionally encrypted with JWE).
The request JWT can be passed to the authorisation endpoint of the server in two ways:
- As request parameter to the URL to the authorisation endpoint;
- By reference, with a request_uri parameter.
The FAPI and OAuth working groups are currently developing a simple spec for a request object endpoint at the authorisation server where clients can post their request JWTs, prior to making the authorisation request.
Benefits:
- Because the request is submitted by a backend HTTP call over TLS, its parameters are kept confidential from the end-user and browser.
- By virtue of the request being signed by the client, this also serves as a mean to authenticate the request and have the benefit of non-repudiation (if required by the application).
- Permits requests of arbitrary size, free from potential browser URL limitations.
Example client code to post a request object and obtain its request_uri for the further authorisation request:
import java.net.URI;
import com.nimbusds.jose.*;
import com.nimbusds.jose.crypto.*;
import com.nimbusds.jose.jwk.*;
import com.nimbusds.jwt.*;
import com.nimbusds.oauth2.sdk.*;
import com.nimbusds.oauth2.sdk.http.*;
// Create authorisation request
AuthorizationRequest ar = new AuthorizationRequest.Builder(
new ResponseType(ResponseType.Value.CODE),
new ClientID("123"))
.redirectionURI(URI.create("https://example.com/cb"))
.state(new State("..."))
.build();
// Package the request into a JWT signed with the client's private key
SignedJWT requestJWT = new SignedJWT(
new JWSHeader.Builder(JWSAlgorithm.RS256)
.keyID(rsaJWK.getKeyID())
.build(),
ar.toJWTClaimsSet());
requestJWT.sign(new RSASSASigner(rsaJWK));
// POST the request JWT to the Authorisation server
URI requestObjectEndpoint = URI.create("https://c2id.com/requests");
HTTPRequest httpRequest = new RequestObjectPOSTRequest(
requestObjectEndpoint,
requestJWT)
.toHTTPRequest();
HTTPResponse httpResponse = httpRequest.send();
RequestObjectPOSTResponse postResponse = RequestObjectPOSTResponse.parse(httpResponse);
if (postResponse.indicatesError()) {
int errorStatus = postResponse.toErrorResponse().getHTTPStatusCode();
System.out.println("POST request failed: " + errorStatus);
return;
}
// Extract the generated request URI, e.g. urn:requests:aashoo1Ooj6ahc5C
RequestObjectPOSTSuccessResponse successResponse = postResponse.toSuccessResponse();
URI requestURI = successResponse.getRequestURI();
System.out.println("Request URI: " + requestURI);
Support for the request object endpoint was added in v6.9 of the OAuth 2.0 SDK.