--- title: Query parameters versus request object description: By default, PingFederate sends all request parameters through multiple query parameters, unsigned. component: pingfederate version: 13.1 page_id: pingfederate:administrators_reference_guide:pf_query_parameter_versus_request_objects canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_query_parameter_versus_request_objects.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: July 5, 2022 --- # Query parameters versus request object By default, PingFederate sends all request parameters through multiple query parameters, unsigned. If the **Sign Request** checkbox is selected, PingFederate creates a signed JSON web token (JWT) that contains claims representing the request parameters and passes the signed JWT as one query parameter, `request`, to the OpenID provider (OP). The `client_id`, `response_type`, and `scope` request parameters are always passed to the OP as individual query parameter as well. Consider the following authentication requests based on the previous sample configuration. The client authenticates through the HTTP Basic authentication scheme and initiates single sign-on (SSO) request without providing overrides for any request parameters. * Request parameters via query parameters ``` https://sso.alpha.local:9031/as/authorization.oauth2 ?acr_values=PasswordProtectedTransport &customMultiValued=value+one &customMultiValued=value+two &customOverridableOne=value+can+be+overridden &hd=example.org &prompt=login &nonce=ykulMjpwAFk79R1rBOBWm5 &redirect_uri=https://www.example.com/sp/eyJpc3MiOiJodHRwczpcL1wvc3NvLmFscGhhLmxvY2FsOjkwMzEifQ/cb.openid &state=e75nIlVU6Wa5TMmOwegDPSEI2iO9zd &client_id=RP &response_type=code &scope=address+phone+edit+openid+profile+admin+email ``` * Request parameters via a request object by value ``` https://sso.alpha.local:9031/as/authorization.oauth2 ?request=eyJhbG...ZTMifQ.eyJhdW...lJQIn0.IAOpuf...IqCftg &client_id=RP &response_type=code &scope=address+phone+edit+openid+profile+admin+email ``` | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The `client_id`, `response_type`, and `scope` request parameters are always passed to the OP as individual query parameters as defined in the OpenID Connect specification. | The value of the `request` query parameter, truncated for readability, is the request object, a signed JWT that contains the request parameters as individual claims, illustrated in the following decoded payload. ```json { "aud": "https://sso.alpha.local:9031", "exp": 1495645410, "acr_values": "PasswordProtectedTransport", "customMultiValued": [ "value one", "value two" ], "customOverridableOne": "value can be overridden", "hd": "example.org", "prompt": "login", "nonce": "vhW2VJc7eZ6r6vfpiAwepd", "redirect_uri": "https://sso.rp.local:9021/sp/eyJpc3MiOiJodHRwczpcL1wvc3NvLmFscGhhLmxvY2FsOjkwMzEifQ/cb.openid", "state": "nFVzgFirZtg3kBXMFpWt5RNhO4oDuA", "client_id": "RP", "response_type": "code", "scope": "address phone edit openid profile admin email" } ``` For more information, see the section explaining passing a request object by value in the OpenID Connect specification at [openid.net/specs/openid-connect-core-1\_0.html#RequestObject](https://openid.net/specs/openid-connect-core-1_0.html).