Last Update: 2023-11-27 06:15:32 +0000

1.3.2 (27/07/2023)


  • require_signed_request_object option for JAR (oauth_jwt_secured_authorization_request plugin) is now supported:

  • in the oauth server metadata endpoint

  • as a plugin config option (oauth_require_signed_request_object, defaults to false)

  • as a oauth dynamic registration endpoint param (require_signed_request_object, requires corresponding columnn)

  • enforces JAR-based authorization, andd does not allow unsigned JAR JWTs, when turned on.


  • JWT decoding failed in circumstances where a declared encryption algo didn’t have key/method declared.

  • fix for when PAR (oauth_pushed_authorization_request feature) is used with JAR (oauth_jwt_secured_authorization_request plugin), and PAR request_uri param wasn’t being removed when validating authorize request parameters, thereby making JAR logic evaluate it as a JAR requuest_uri (it is now correctly not taken into account in such a case);