Request Parameter Signature Requirement
In PingOne, you can specify how an application sends the optional request
parameter in its authorization requests. The application can send authorization requests with or without the request
parameter, and with or without an optional digital signature.
You can choose a more secure option, a more flexible option, or a balance between the two. For more information, see https://openid.net/specs/openid-connect-core-1_0.html#JWTRequests.
In PingOne, you can choose from the following options when configuring an OIDC-based application:
- Default
-
Allow the application to send authorization requests with or without the request parameter as defined in the OpenID specification. When using the request parameter, the application must include a digital signature. This option provides a balance of security and flexibility.
- Require signed request parameters
-
Require the application to use the request parameter as defined in the OpenID specification and include a digital signature in its authorization requests. This option provides the most security.
- Allow unsigned request parameters
-
Allow the application to send authorization requests with or without the request parameter as defined in the OpenID specification. When using the request parameter, the application has the option to include a digital signature or not. This option provides the most flexibility.
The following table shows a comparison of the different options.
Selection | Authentication request | Signed request | Unsigned request |
---|---|---|---|
Default |
Yes |
Yes |
|
Require signed request parameters |
Yes |
||
Allow unsigned request parameters |
Yes |
Yes |
Yes |