PingFederate Server

Query parameters versus request object

By default, PingFederate sends all request parameters through multiple query parameters, unsigned.

If the Sign Request check box is selected, PingFederate creates a signed JSON web token (JWT) that contains claims representing the request parameters and passes the signed JWT as one query parameter, request, to the OpenID provider (OP). The client_id, response_type, and scope request parameters are always passed to the OP as individual query parameter as well.

Consider the following authentication requests based on the previous sample configuration. The client authenticates through the HTTP Basic authentication scheme and initiates single sign-on (SSO) request without providing overrides for any request parameters.

Request parameters via query parameters
https://sso.alpha.local:9031/as/authorization.oauth2
?acr_values=PasswordProtectedTransport
&customMultiValued=value+one
&customMultiValued=value+two
&customOverridableOne=value+can+be+overridden
&hd=example.org
&prompt=login
&nonce=ykulMjpwAFk79R1rBOBWm5
&redirect_uri=https://www.example.com/sp/eyJpc3MiOiJodHRwczpcL1wvc3NvLmFscGhhLmxvY2FsOjkwMzEifQ/cb.openid
&state=e75nIlVU6Wa5TMmOwegDPSEI2iO9zd
&client_id=RP
&response_type=code
&scope=address+phone+edit+openid+profile+admin+email
Request parameters via a request object by value
https://sso.alpha.local:9031/as/authorization.oauth2
?request=eyJhbG...ZTMifQ.eyJhdW...lJQIn0.IAOpuf...IqCftg
&client_id=RP
&response_type=code
&scope=address+phone+edit+openid+profile+admin+email

The client_id, response_type, and scope request parameters are always passed to the OP as individual query parameters as defined in the OpenID Connect specification.

The value of the request query parameter, truncated for readability, is the request object, a signed JWT that contains the request parameters as individual claims, illustrated in the following decoded payload.

{
  "aud": "https://sso.alpha.local:9031",
  "exp": 1495645410,
  "acr_values": "PasswordProtectedTransport",
  "customMultiValued": [
    "value one",
    "value two"
  ],
  "customOverridableOne": "value can be overridden",
  "hd": "example.org",
  "prompt": "login",
  "nonce": "vhW2VJc7eZ6r6vfpiAwepd",
  "redirect_uri": "https://sso.rp.local:9021/sp/eyJpc3MiOiJodHRwczpcL1wvc3NvLmFscGhhLmxvY2FsOjkwMzEifQ/cb.openid",
  "state": "nFVzgFirZtg3kBXMFpWt5RNhO4oDuA",
  "client_id": "RP",
  "response_type": "code",
  "scope": "address phone edit openid profile admin email"
}

For more information, see the section explaining passing a request object by value in the OpenID Connect specification at openid.net/specs/openid-connect-core-1_0.html#RequestObject.