Authorization Code Flow with JWT-Secured Authorization Requests (JAR)

To use Highly Regulated Identity features, you must have an Enterprise Plan with the Highly Regulated Identity add-on. Refer to Auth0 Pricing for details.

JWT-Secured Authorization Request (JAR) is an extension of the OAuth 2.0 protocol that protects the integrity and authenticity of authorization request parameters. By wrapping parameters in a signed JSON Web Token (JWT), you prevent intermediaries from tampering with or viewing sensitive request data.

Prerequisites

Before using JAR, you must:

Generate a RSA key pair
Register the public key by uploading it to the Auth0 Dashboard as described in Configure JWT-Secured Authorization Requests

How it works

Instead of passing parameters like scope or redirect_uri as plain text in a URL, the client application wraps them into a signed JSON Web Token (JWT) as the request object:

Signing: The client application signs the JWT using its private key.
Verification: The Auth0 Authorization Server receives the JWT and verifies the signature using the public key you registered.
Processing: If valid, the Auth0 Authorization Server extracts the parameters. If a parameter exists in both the JAR and the query string, the value inside the JAR takes precedence.

Generate the JAR request

Use the Auth0 JWT library to generate a in your preferred language. The JWT header tells Auth0 which key and algorithm to use for verification. It must have the following parameters:

alg: The algorithm used to sign the JWT. Must be either RS256, RS384, or PS256.
typ: The type of JWT. Must be either jwt or oauth-authz-req+jwt.

The header may also contain a kid field that identifies the key used to sign the JWT. If a kid is present, Auth0 will look for a public key registered during JAR configuration that has a matching key ID and use that key to verify the JWT’s signature.

Payload

The payload contains the authorization parameters. It must contain the following claims:

iss: This must contain your app’s client_id
aud: This must be your tenant’s domain, with the protocol and a trailing forward slash. For example, https://{YOUR_DOMAIN}.auth0.com/

The JWT must also contain any mandatory parameters for the call to /authorize. For example:

client_id: This must also contain your app’s client_id
response_type: Indicates to Auth0 which flow you want to perform. Use code for Authorization Code Grant Flow.

The JWT may contain any of the optional parameters for the that is being requested, such as audience, scope, state, redirect_uri, among others. In addition, the JWT may contain the following optional claims:

iat: Must be a numeric date.
nbf: Must be a numeric date, representing a time in the past.
exp: Must be a numeric date, representing a time in the future.
jti: Must be a string no longer than 64 bytes.

Code sample: Generate and sign JAR

The following Node.js example uses the jsonwebtoken library to generate and sign a JAR:

const jwt = require('jsonwebtoken');
const crypto = require("crypto");
const fs = require('fs');

const privateKey = fs.readFileSync('{PATH_TO_YOUR_PEM_FILE}');
const client_id = '{YOUR_CLIENT_ID}';
const nonce = crypto.randomBytes(16).toString('hex');

const requestObject = jwt.sign(
{
  iss: client_id,    
  aud: 'https://your_tenant.auth0.com/', // your tenant's domain
  client_id,
  response_type: "code",
  scope: "openid profile",
  redirect_uri : "https://myapp.com/callback", // your app's callback URL
  nonce
},
privateKey,
{
  keyid: '{YOUR_KID}', // optional key id (kid) value from your public key
  algorithm: 'RS256',
  header: {
    typ: 'oauth-authz-req+jwt',
  },
});

console.log(requestObject);

Call the authorization endpoint

You can send the JAR to the Auth0 Authorization Server in the following ways:

Standard JAR request: Pass the signed JWT as a URL-encoded string in the request parameter.
Pushed Authorization Request: For enhanced security and to avoid URL length constraints, use PAR.

Standard JAR request

To call the /authorize endpoint using a standard JAR request:

Open a new browser window.
Pass your as the client_id parameter and the signed and URL-encoded JWT as the request parameter.

# MacOS
open "https://{YOUR_DOMAIN}.auth0.com/authorize?client_id={YOUR_CLIENT_ID}&request={URL_ENCODED_JWT}"

# Windows
explorer "https://{YOUR_DOMAIN}.auth0.com/authorize?client_id={YOUR_CLIENT_ID}&request={URL_ENCODED_JWT}"

Pushed Authorization Request

To call the /authorize endpoint with a pushed authorization request:

Send the JAR to the /oauth/par endpoint via a back-channel POST request.
Auth0 will return a request_uri, which you can then use to call the /authorize endpoint as in a regular PAR flow.

The following cURL request uses PAR and JAR together:

curl --location 'https://{YOUR_DOMAIN}.auth0.com/oauth/par' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id={YOUR_CLIENT_ID}' \
--data-urlencode 'client_secret={YOUR_CLIENT_SECRET}' \
--data-urlencode 'request={JWT}'

Learn more

Configure JWT-secured Authorization Requests (JAR)

Auth0 Onboarding

Learn the Basics

Configure Auth0

Plan and Design

Auth0 AI

Authorization Code Flow with JWT-Secured Authorization Requests (JAR)

Prerequisites

How it works

Generate the JAR request

Header

Payload

Code sample: Generate and sign JAR

Call the authorization endpoint

Standard JAR request

Pushed Authorization Request

Learn more

Auth0 Onboarding

Learn the Basics

Configure Auth0

Plan and Design

Auth0 AI

​Prerequisites

​How it works

​Generate the JAR request

​Header

​Payload

​Code sample: Generate and sign JAR

​Call the authorization endpoint

​Standard JAR request

​Pushed Authorization Request

​Learn more

Prerequisites

How it works

Generate the JAR request

Header

Payload

Code sample: Generate and sign JAR

Call the authorization endpoint

Standard JAR request

Pushed Authorization Request

Learn more