Skip to content
oidc-provider
Search limited to v8.x. Switch to the latest version for up-to-date results.

features.requestObjects

This content is for v8.x. Switch to the latest version for up-to-date documentation.

OIDC Core 1.0 and JWT Secured Authorization Request (JAR) - Request Object

Enables the use and validations of the request and/or request_uri parameters.

default value:

{
  assertJwtClaimsAndHeader: [AsyncFunction: assertJwtClaimsAndHeader], // see expanded details below
  mode: 'strict',
  request: false,
  requestUri: false,
  requireSignedRequestObject: false,
  requireUriRegistration: true
}
(Click to expand) features.requestObjects options details

assertJwtClaimsAndHeader

Section titled “assertJwtClaimsAndHeader”

Helper function used to validate the Request Object JWT Claims Set and Header beyond what the JAR specification requires.

default value:

async function assertJwtClaimsAndHeader(ctx, claims, header, client) {
  // @param ctx - koa request context
  // @param claims - parsed Request Object JWT Claims Set as object
  // @param header - parsed Request Object JWT Headers as object
  // @param client - the Client instance
  const fapiProfile = ctx.oidc.isFapi('1.0 Final', '1.0 ID2', '2.0');
  if (fapiProfile) {
    if (!('exp' in claims)) {
      throw new errors.InvalidRequestObject("Request Object is missing the 'exp' claim");
    }
    if (fapiProfile === '1.0 Final' || fapiProfile === '2.0') {
      if (!('aud' in claims)) {
        throw new errors.InvalidRequestObject("Request Object is missing the 'aud' claim");
      }
      if (!('nbf' in claims)) {
        throw new errors.InvalidRequestObject("Request Object is missing the 'nbf' claim");
      }
      const diff = claims.exp - claims.nbf;
      if (Math.sign(diff) !== 1 || diff > 3600) {
        throw new errors.InvalidRequestObject("Request Object 'exp' claim too far from 'nbf' claim");
      }
    }
  }
  if (ctx.oidc.route === 'backchannel_authentication') {
    for (const claim of ['exp', 'iat', 'nbf', 'jti']) {
      if (!(claim in claims)) {
        throw new errors.InvalidRequestObject(`Request Object is missing the '${claim}' claim`);
      }
    }
    if (fapiProfile) {
      const diff = claims.exp - claims.nbf;
      if (Math.sign(diff) !== 1 || diff > 3600) {
        throw new errors.InvalidRequestObject("Request Object 'exp' claim too far from 'nbf' claim");
      }
    }
  }
}

mode

Section titled “mode”

defines the provider’s strategy when it comes to using regular OAuth 2.0 parameters that are present. Parameters inside the Request Object are ALWAYS used, this option controls whether to combine those with the regular ones or not.
Supported values are:

  • ‘lax’ This is the behaviour expected by OIDC Core 1.0 - all parameters that are not present in the Resource Object are used when resolving the authorization request.
  • ‘strict’ (default) All parameters outside of the Request Object are ignored. For PAR, FAPI, and CIBA this value is enforced.

default value:

'strict'

request

Section titled “request”

Enables the use and validations of the request parameter.

default value:

false

requestUri

Section titled “requestUri”

Enables the use and validations of the request_uri parameter.

default value:

false

requireSignedRequestObject

Section titled “requireSignedRequestObject”

Makes the use of signed request objects required for all authorization requests as an authorization server policy.

default value:

false

requireUriRegistration

Section titled “requireUriRegistration”

Makes request_uri pre-registration mandatory (true) or optional (false).

default value:

true