Signed Authorize Requests
Instead of providing the parameters for an authorize request as individual query string key/value pairs, you can package them up in signed JWTs. This makes the parameters tamperproof and you can authenticate the client already on the front-channel.
You can either transmit them by value or by reference to the authorize endpoint - see the spec for more details.
Duende IdentityServer requires the request JWTs to be signed. We support X509 certificates and JSON web keys, e.g.:
var client = new Client{ ClientId = "foo",
// set this to true to accept signed requests only RequireRequestObject = true,
ClientSecrets = { new Secret { // X509 cert base64-encoded Type = IdentityServerConstants.SecretTypes.X509CertificateBase64, Value = Convert.ToBase64String(cert.Export(X509ContentType.Cert)) }, new Secret { // RSA key as JWK Type = IdentityServerConstants.SecretTypes.JsonWebKey, Value = "{'e':'AQAB','kid':'...','kty':'RSA','n':'...'}" } }}Passing Request JWTs By Reference
Section titled “Passing Request JWTs By Reference”If the request_uri parameter is used, IdentityServer will make an outgoing HTTP call to fetch the JWT from the specified URL.
You can customize the HTTP client used for this outgoing connection, e.g. to add caching or retry logic (e.g. via the Polly library):
idsvrBuilder.AddJwtRequestUriHttpClient(client =>{ client.Timeout = TimeSpan.FromSeconds(30);}) .AddTransientHttpErrorPolicy(policy => policy.WaitAndRetryAsync(new[] { TimeSpan.FromSeconds(1), TimeSpan.FromSeconds(2), TimeSpan.FromSeconds(3) }));Accessing The Request Object Data
Section titled “Accessing The Request Object Data”You can access the validated data from the request object in two ways:
- Wherever you have access to the
ValidatedAuthorizeRequest, theRequestObjectValuesdictionary holds the values. - In the UI code you can call
IIdentityServerInteractionService.GetAuthorizationContextAsync, the resulting AuthorizationRequest object contains theRequestObjectValuesdictionary as well.