The :oauth_jwt_secured_authorization_request plugin allows for authorization request parameters to be passed via JWT, via the request or request_uri parameters, as the RFC mandates. This JWT can be signed (and encrypted) by the client, where the provider uses the client application associated JWKs stored in the database to verify the signature, and may decrypt it (for which a private key to decrypt is available in the client application JWKs as well).
Client applications who want to protect the integrity of the parameters for the authorization request.
plugin :rodauth do
enable :oauth_authorization_code_grant, :oauth_jwt_secured_authorization_request
end
When this feature is enabled, the authorization request supports the following parameters:
request: a JWT “request object”, encoding the authorization parameters.request_uri: a client-provided URI, where to get the JWT request object from.In order to verify (and decrypt, if necessary) JWT-secured authorization requests, the client application must have set its JWKs, either in the oauth_applications_jwks_column or oauth_applications_jwks_uri_column. The client application is also recommmended to set oauth_applications_request_object_signed_response_alg_column (and oauth_applications_request_object_encrypted_response_alg_column and oauth_applications_request_object_encrypted_response_enc_column, if decryption is necessary).
By default, "none" is not a support signing algorithm for the JWT request object. If you’d like to enable it, set oauth_request_object_signing_alg_allow_none to true.