PingOne

Request Parameter Signature Requirement

In PingOne, you can specify how an application sends the optional request parameter in its authorization requests. The application can send authorization requests with or without the request parameter, and with or without an optional digital signature.

You can choose a more secure option, a more flexible option, or a balance between the two. For more information, see https://openid.net/specs/openid-connect-core-1_0.html#JWTRequests.

In PingOne, you can choose from the following options when configuring an OIDC-based application:

Default

Allow the application to send authorization requests with or without the request parameter as defined in the OpenID specification. When using the request parameter, the application must include a digital signature. This option provides a balance of security and flexibility.

Require signed request parameters

Require the application to use the request parameter as defined in the OpenID specification and include a digital signature in its authorization requests. This option provides the most security.

Allow unsigned request parameters

Allow the application to send authorization requests with or without the request parameter as defined in the OpenID specification. When using the request parameter, the application has the option to include a digital signature or not. This option provides the most flexibility.

The following table shows a comparison of the different options.

Selection Authentication request Signed request Unsigned request

Default

Yes

Yes

Require signed request parameters

Yes

Allow unsigned request parameters

Yes

Yes

Yes