Query parameters versus request object
By default, PingFederate sends all request parameters through multiple query parameters, unsigned.
If the Sign Request check box is selected, PingFederate creates a signed JSON web token (JWT) that contains claims representing the request parameters and passes the signed JWT as one query parameter, request
, to the OpenID provider (OP). The client_id
, response_type
, and scope
request parameters are always passed to the OP as individual query parameter as well.
Consider the following authentication requests based on the previous sample configuration. The client authenticates through the HTTP Basic authentication scheme and initiates single sign-on (SSO) request without providing overrides for any request parameters.
- Request parameters via query parameters
https://sso.alpha.local:9031/as/authorization.oauth2 ?acr_values=PasswordProtectedTransport &customMultiValued=value+one &customMultiValued=value+two &customOverridableOne=value+can+be+overridden &hd=example.org &prompt=login &nonce=ykulMjpwAFk79R1rBOBWm5 &redirect_uri=https://www.example.com/sp/eyJpc3MiOiJodHRwczpcL1wvc3NvLmFscGhhLmxvY2FsOjkwMzEifQ/cb.openid &state=e75nIlVU6Wa5TMmOwegDPSEI2iO9zd &client_id=RP &response_type=code &scope=address+phone+edit+openid+profile+admin+email
- Request parameters via a request object by value
https://sso.alpha.local:9031/as/authorization.oauth2 ?request=eyJhbG...ZTMifQ.eyJhdW...lJQIn0.IAOpuf...IqCftg &client_id=RP &response_type=code &scope=address+phone+edit+openid+profile+admin+email
The |
The value of the request
query parameter, truncated for readability, is the request object, a signed JWT that contains the request parameters as individual claims, illustrated in the following decoded payload.
{
"aud": "https://sso.alpha.local:9031",
"exp": 1495645410,
"acr_values": "PasswordProtectedTransport",
"customMultiValued": [
"value one",
"value two"
],
"customOverridableOne": "value can be overridden",
"hd": "example.org",
"prompt": "login",
"nonce": "vhW2VJc7eZ6r6vfpiAwepd",
"redirect_uri": "https://sso.rp.local:9021/sp/eyJpc3MiOiJodHRwczpcL1wvc3NvLmFscGhhLmxvY2FsOjkwMzEifQ/cb.openid",
"state": "nFVzgFirZtg3kBXMFpWt5RNhO4oDuA",
"client_id": "RP",
"response_type": "code",
"scope": "address phone edit openid profile admin email"
}
For more information, see the section explaining passing a request object by value in the OpenID Connect specification at openid.net/specs/openid-connect-core-1_0.html#RequestObject.