Request object endpoint

OpenID Connect introduced the concept of signed authorisation requests. The parameters are packaged into a JWT that is signed with JWS (and optionally encrypted with JWE).

The request JWT can be passed to the authorisation endpoint of the server in two ways:

  • As request parameter to the URL to the authorisation endpoint;
  • By reference, with a request_uri parameter.

The FAPI and OAuth working groups are currently developing a simple spec for a request object endpoint at the authorisation server where clients can post their request JWTs, prior to making the authorisation request.

Benefits:

  • Because the request is submitted by a backend HTTP call over TLS, its parameters are kept confidential from the end-user and browser.
  • By virtue of the request being signed by the client, this also serves as a mean to authenticate the request and have the benefit of non-repudiation (if required by the application).
  • Permits requests of arbitrary size, free from potential browser URL limitations.

Example client code to post a request object and obtain its request_uri for the further authorisation request:

import java.net.URI;
import com.nimbusds.jose.*;
import com.nimbusds.jose.crypto.*;
import com.nimbusds.jose.jwk.*;
import com.nimbusds.jwt.*;
import com.nimbusds.oauth2.sdk.*;
import com.nimbusds.oauth2.sdk.http.*;

// Create authorisation request
AuthorizationRequest ar = new AuthorizationRequest.Builder(
    new ResponseType(ResponseType.Value.CODE),
    new ClientID("123"))
    .redirectionURI(URI.create("https://example.com/cb"))
    .state(new State("..."))
    .build();

// Package the request into a JWT signed with the client's private key
SignedJWT requestJWT = new SignedJWT(
    new JWSHeader.Builder(JWSAlgorithm.RS256)
        .keyID(rsaJWK.getKeyID())
        .build(),
    ar.toJWTClaimsSet());
requestJWT.sign(new RSASSASigner(rsaJWK));

// POST the request JWT to the Authorisation server
URI requestObjectEndpoint = URI.create("https://c2id.com/requests");
HTTPRequest httpRequest = new RequestObjectPOSTRequest(
    requestObjectEndpoint,
    requestJWT)
    .toHTTPRequest();

HTTPResponse httpResponse = httpRequest.send();
RequestObjectPOSTResponse postResponse = RequestObjectPOSTResponse.parse(httpResponse);

if (postResponse.indicatesError()) {
    int errorStatus = postResponse.toErrorResponse().getHTTPStatusCode();
    System.out.println("POST request failed: " + errorStatus);
    return;
}

// Extract the generated request URI, e.g. urn:requests:aashoo1Ooj6ahc5C
RequestObjectPOSTSuccessResponse successResponse = postResponse.toSuccessResponse();
URI requestURI = successResponse.getRequestURI();
System.out.println("Request URI: " + requestURI);

Support for the request object endpoint was added in v6.9 of the OAuth 2.0 SDK.