JAR (JWT Secured Authorization Request)¶
OAuth 2.0 JWT Secured Authorization Request (RFC 9101) for passing authorization parameters as signed JWTs.
Request Object Creation¶
create_request_object(private_key, algorithm, client_id, audience, redirect_uri, scope='openid', response_type='code', state=None, nonce=None, code_challenge=None, code_challenge_method=None, lifetime=300, kid=None, **extra_claims)
¶
Create a signed JWT request object per RFC 9101.
The request object contains authorization parameters as JWT claims,
ensuring request integrity through signing. The JWT typ header
is set to "oauth-authz-req+jwt" per RFC 9101 Section 10.2.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
private_key
|
str | bytes
|
PEM-encoded private key for signing (bytes or str). |
required |
algorithm
|
str
|
Signing algorithm (e.g. |
required |
client_id
|
str
|
Client identifier - becomes both |
required |
audience
|
str
|
Authorization server issuer - becomes |
required |
redirect_uri
|
str
|
Registered redirect URI. |
required |
scope
|
str
|
Space-delimited scopes (default |
'openid'
|
response_type
|
str
|
OAuth 2.0 response type (default |
'code'
|
state
|
str | None
|
CSRF protection value. |
None
|
nonce
|
str | None
|
OpenID Connect nonce for replay protection. |
None
|
code_challenge
|
str | None
|
PKCE code challenge. |
None
|
code_challenge_method
|
str | None
|
PKCE method ( |
None
|
lifetime
|
int
|
JWT validity in seconds (default 300). |
300
|
kid
|
str | None
|
Key ID to include in the JWT header for key lookup. |
None
|
**extra_claims
|
Any
|
Additional claims to include in the request object. |
{}
|
Returns:
| Type | Description |
|---|---|
str
|
The signed JWT string. |
Raises:
| Type | Description |
|---|---|
ValueError
|
If algorithm is not supported, required parameters are empty, lifetime is not positive, code_challenge and code_challenge_method are not both provided, or extra_claims contains a reserved claim name. |
Authorization URL¶
build_jar_authorization_url(authorization_endpoint, client_id, request_object, scope=None, response_type=None)
¶
Build an authorization URL with a JAR request parameter.
Per RFC 9101 Section 6.3, client_id MUST appear as a query
parameter and scope/response_type SHOULD be duplicated
outside the request object for backward compatibility.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
authorization_endpoint
|
str
|
The authorization server's authorize URL. |
required |
client_id
|
str
|
The registered client identifier. |
required |
request_object
|
str
|
Signed JWT from :func: |
required |
scope
|
str | None
|
Optional scope to duplicate in query params. |
None
|
response_type
|
str | None
|
Optional response_type to duplicate in query params. |
None
|
Returns:
| Type | Description |
|---|---|
str
|
The full authorization URL with the |