Purpose of Request Object in OpenID Connect
This enables sending authentication request parameters in a self-contained JWT instead of plain request parameters. Request Object can be specified to the authorization server either by value or by reference.
Request Object by Value (as request parameter)
The request authorization request parameter enables OpenID Connect requests to be passed in a single, self-contained parameter and has to be optionally signed and/or encrypted.It represents the request as a JWT whose claims are the request parameters. This JWT is called a Request Object.
IS-5.5.0 has inbuilt support for passing Request Object by value.
Request Object by Reference (as request_uri parameter )
The request_uri authorization request parameter enables OpenID Connect requests to be passed by reference, rather than by value. This parameter is used identically to the request parameter, other than that the Request Object value is retrieved from the resource at the specified URL.
WSO2 Identity Server 5.5.0 does not support passing Request Object by Reference. However, an extension point is provided which can be extended to provide support for understanding Request Object from reference URI specified by request_uri
The payload of the above sample Request Object is as follows:
If the above request is sent, it requests some claims from both the members userinfo endpoint and id_token. For example, 'given_name' and 'email' are marked as essential claims from user info endpoint and 'brithdate' is requested as an essential claim from id token.
Usually, in OpenID Connect, the returning claims will be filtered from the requested scopes that are passed to the server as a query parameter with the authorization request. When it comes to WSO2 Identity Server, it filters the requested claims both from the requested scopes defined with the authorization request and the requested claims that can be configured in service provider configurations. But if the Request Object is associated with the authorization request, the server returns the essential request object claims in the response of userinfo endpoint and id_token accordingly.
The following validations is done on the server side.
- The client_id and response_type of the request object (if present) should be equal to the client_id and the response_type of the authorization request.
- The authorization request query parameters will be overridden from the Request Object values if they are present in the Request Object.
- Both the request and request_uri parameters cannot be associated with the same authorization request.
- Even if a scope parameter is present in the Request Object value, a scope parameter MUST always be passed using the OAuth 2.0 request syntax containing the openid scope value to indicate the underlying OAuth 2.0 logic that this is an OpenID Connect request. (For further validation information, refer OIDC specification)
- Here the requested scope is considered as 'openid email' as the scope value of the request object is declared. So the server will ignore the scope value which is associated with the authorization request and considers the requested scope as 'openid email'
- It considers the claims "given_name" and "email" which are marked as 'essential:true' for 'userinfo' member. Even if they are not mapped with the openid or address scope in the registry, if these claims are requested claims, then 'given_name' and 'email' will be returned from the Userinfo endpoint. In a nutshell, the claims which are marked as 'essential: true' only get controlled by the requested claims and ignore the requested scopes. If the server cannot provide those essential claims, there will not be any failure or error message returning from the server.
- The claims like "nickname" it will act as a default claim and will be controlled by both requested scopes and the requested claims.
- If the server cannot provide the requested essential claims, the server will return null for the specific claim and the flow will not break.
This behavior is common to the id token as well
If the Request Object is a nested JWT, which is signed and encrypted, then the payload (Cipher Text) of the Request Object is a signed JWT. So the server will decrypt the JWE first and then check the payload for signature validation.
All the validations and the request object builder are extensible so that a third party user can build the request object and do any validations in their own way. At the moment, Identity Server does not have a default implementation for request_uri parameter and instead, it extracts the request_uri parameter from the request object and pass it.
The following configuration changes should be done in
$IS_HOME/repository/conf/identity/identity.xmlwhen writing extension points for this feature.
If the configuration is not present, the default classes will be executed.
Please note that Identity Server 5.5.0 does not have a default implementation for request_uri parameter.
If you implement a
CustomRequestObjectBuilder to obtain Request Object from request_uri, you need to register it as a new