Skip to main content

Preface

JARM (JWT Secured Authorization Response Mode for OAuth 2.0) is a response mode to encode authorization responses to JWTs. It allows authorization servers to provide secure authorization responses with signature, encryption, sender authentication, audience restriction etc. This article describes instructions to enable JARM.

Registering a JWK set to an Authlete service

This article assumes that you have registered a set of JWK to your Authlete service. See the related KB article for the registration. The following screenshot is an example showing the registered JWK set. enabling-jarm_1 JWK Set Content

Enabling signing for authorization responses to a client

Log in to Developer Console that corresponds to the service above, and you will see “Your Apps” page that includes a list of clients of the service. Click “Edit” button of the client that may ask the service to create JARM compliant authorization responses. enabling-jarm_2 Your Apps Go to Authorization tab and you will see “Authorization Response Signature Algorithm” in Authorization Endpoint section. Choose an appropriate algorithm that matches to the one of keys. For example, in this article, “ES256” has been selected because it is the only algorithm registered to the service. \ enabling-jarm_3 Authorization Response Signature Algorithm

Testing the configuration

Now that you have completed the basic JARM settings for the Authlete service, that supports authorization requests including JARM parameters e.g. response_mode=jwt. The service will make an authorization response in accordance with the request parameter, for example: 
https://client.example.org/cb/example.com
 ?response=eyJraWQiOiIxIiwiYWxnIjoiRVMyNTYifQ.
  eyJhdWQiOiIxNzU2NjE2MDYwMzc2NiIsImNvZGUiOiJF
  V2RYbkE0TEZYRFNGTGVnTmlMTVRoUHlITjhwTUlaelVN
  Tmo5N28wbnBJIiwiaXNzIjoiaHR0cHM6Ly9hcy5leGFt
  cGxlLmNvbSIsImV4cCI6MTU5MTA4MDk0OH0.
  dGi84kTrwX-5bX3S0Mca7_2f7GhEnGt6Dj01b60s67GP
  VJkwzuEr9y8C2KLgEpkS35zZO41mmRNkpRo8NUlkvw