Using Request Objects

Preface


This article describes instructions on how to use request objects for authorization requests.

Configuration


In order for an Authlete service to process authorization requests that employ a request object, you have to configure these two properties so that the service can verify a signature of the object.

  1. Specifying a signing algorithm used for request objects
  2. Registering a public key that corresponds to the specified signing algorithm
They are configurable for each client through Authlete's Developer Console.

Processing request objects



1. Specifying a signing algorithm


Enter a value representing a signing algorithm, for Request Object Signature Algorithm section in Authorization tab. The following example shows a result when “ES256” has been registered.
Request Object Signature Algorithm


2. Registering a public key


Register a jwk formatted public key for JWK Set Content section in JWK Set tab. The following example shows a result when an ES256 public key has been registered.
JWK Set Content
With the settings above, when the configured client makes a authorization request that contains a request object, the Authlete service verifies a signature of the object using the public key determined by the signing algorithm, and proceeds further. 

Examples


API request / response examples are as follows. (folded for readability)

Request


An authorization server makes a request to Authlete's /auth/authorization API. The request contains an authorization request (from a client) as a value of "parameters". The authorization request is from a client, that creates a signed JWT and adds it as a value of request parameter. 

curl -s -X POST https://api.authlete.com/api/auth/authorization \
-u '...:...' \
-H 'Content-Type: application/json' \
-d '{"parameters": 
  "redirect_uri=https://client.example.org/cb/example.com
   &scope=openid+payment
   &response_type=code+id_token
   &client_id=...
   &nonce=n-0S6_WzA2Mj
   &request=eyJhbGciOiJFUzI1NiIsImtpZCI6IjEifQ.
    ewoicmVkaXJlY3RfdXJpIjoiaHR0cHM6Ly9jbGllbnQ
    uZXhhbXBsZS5vcmcvY2IvZXhhbXBsZS5jb20iLAoicm
    VzcG9uc2VfdHlwZSI6ImNvZGUgaWRfdG9rZW4iLAoiY
    2xpZW50X2lkIjoiNTkxMjA1OTg3ODE2NDkwIiwKInNj
    b3BlIjoib3BlbmlkIHBheW1lbnQiLAoiZXhwIjoxNTU
    0OTczMDAwMCwKImF1ZCI6Imh0dHBzOi8vYXMuZXhhbX
    BsZS5jb20iLAoiY2xhaW1zIjp7CiAgImlkX3Rva2VuI
    jp7CiAgICAiYWNyIjp7CiAgICAgICJlc3NlbnRpYWwi
    OnRydWUsCiAgICAgICJ2YWx1ZXMiOlsidXJuOmV4YW1
    wbGU6cHNkMjpzY2EiXQogICAgfQogIH0KfSwKIm5vbm
    NlIjoibi0wUzZfV3pBMk1qIgp9Cg.b5rDSqaI3dh8n4
    A8hK4B5zSpnZNO_8--W-kTU03CNbCq1I_Vuf3w33ZVU
    hD0A-rla8cTPlZ25keQBncGWafzOA"}' | jq

Response


If Authlete has been properly configured, it sends back a response like this.

{
  "type": "authorizationResponse",
  "resultCode": "A004001",
  "resultMessage": 
    "[A004001] Authlete has successfully issued a ticket to the service
   (API Key = 174...020) for the authorization request from the client
   (ID = 591...490). [response_type=code id_token, openid=true]",
[...]
  "ticket": "rja...GiE"
[...]

How did we do with this article?