Configure JWT-secured Authorization Requests (JAR)

JWT-Secured Authorization Requests (JAR) allow OAuth2 authorization request parameters to be packaged into a single JWT request parameter which is then signed for integrity protection.

Prerequisites

Before configuring your application for using JAR, you must generate an RSA key pair.

Configure JAR for your application

Use Management API

You can configure JAR for your application using the signed_request_object client configuration property. This object property contains the following fields:

You can configure JAR for a new application or for an existing application via the Management API.

Configure JAR for a new application

When you create a new application, configure JAR by sending a POST request with the signed_request_object. In that POST request, you can also register the corresponding client credential (i.e. the key PEM):

POST https://{yourTenant}.auth0.com/api/v2/clients
Authorization: Bearer [YOUR ACCESS TOKEN]
Content-Type: application/json
{
  "name": "My App using JAR",
  "signed_request_object": {
      "required": true,
"credentials": [{
        "name": "My credential for JAR",
        "credential_type": "public_key",
        "pem": "[YOUR PEM FILE CONTENT]",
        "alg": "RS256"
}]
  },
  "jwt_configuration": {
    "alg": "RS256"
  }
}

Was this helpful?

/

Configure JAR for an existing application

When updating an existing application, you need to explicitly create a client credential first. The following POST request uses your PEM file content to create your client credentials for JAR:

to configure this snippet with your account
POST https://{yourTenant}.auth0.com/api/v2/clients/{yourClientId}/credentials
Authorization: Bearer [YOUR ACCESS TOKEN]
Content-Type: application/json
{
  "name": "My credentials for JAR",
  "credential_type": "public_key",
  "pem": "[YOUR PEM FILE CONTENT]",
  "alg": "RS256"
}

Was this helpful?

/

Then, assign the client credential to the signed_request_object client configuration. The following PATCH request associates your client credentials with the signed_request_object:

to configure this snippet with your account
PATCH https://{yourTenant}.auth0.com/api/v2/clients/{yourClientId}
Authorization: Bearer [YOUR ACCESS TOKEN]
Content-Type: application/json
{
  "signed_request_object": {
    "credentials": [{"id": "[YOUR CREDENTIAL ID]"}]
  }
}

Was this helpful?

/

Use Auth0 Dashboard

You can use the Auth0 Dashboard to configure your application to use JAR with previously generated RSA keys.

  1. Navigate to Auth0 Dashboard > Applications.

  2. Select the application you want to use with JAR.

  3. Select the Application Settings tab.

  4. In the Authorization Requests section, enable Require JWT-Secured Authorization Requests.

    Dashboard > Applications > Settings

  5. If no credential is assigned and there are credentials available, you will be prompted to assign an existing credential.

    Dashboard > Application > Settings > Assign Existing Credentials

  6. You will also have the option to assign a new credential.

    Auth0 Dashboard > Applications > Settings > Assign New Credentials

  7. Add and assign a new credential by uploading a previously generated RSA key pair. When prompted, enter the following:

    • Name: a name to identify the credential

    • Public Key: public key of the X.509 certificate in PEM format

    • Algorithm: select the JAR signature algorithm

    • Expiration Date: set the expiration date of the credential

Dashboard > Applications > APIs

Learn more