⚠️JAR Requirement - CRITICAL

📖 Getting started? Check the Integration Flow Overview to understand the complete integration process.
🔧 Need complete implementation guide? See JAR Complete Implementation Guide for detailed examples in multiple languages.

JAR Requirements by Client Type

Oten Identity Provider has different requirements based on your client type:

Confidential Clients (Server-side applications)

JAR is REQUIRED for all authorization requests
Traditional OAuth 2.0 query parameters will be rejected
Must use HS256 or EdDSA signing

Public Clients (SPAs/Mobile apps)

JAR is FORBIDDEN (cannot securely store signing keys)
PKCE is REQUIRED instead
Use direct authorization parameters
See PKCE Implementation Guide for details

Why JAR is Required for Confidential Clients

Security: Prevents parameter tampering and injection attacks
Integrity: Ensures request parameters cannot be modified in transit
Authentication: Verifies the request comes from a legitimate client
Key Management: Confidential clients can securely store signing keys

Supported Algorithms

Algorithm

Key Type

Use Case

HS256

Client Secret

Development, Internal Apps

EdDSA

Ed25519 Key Pair

Production, Public Apps

❌ Traditional OAuth (REJECTED for Confidential Clients)

// ❌ This approach will be REJECTED for confidential clients
const authURL = `https://account.oten.com/v1/oauth/authorize?client_id=${clientId}&redirect_uri=${redirectURI}&response_type=code&scope=openid profile email&state=${state}`;

Error you'll get for confidential clients:

{
  "error": "invalid_request",
  "error_description": "JAR (request parameter) is required for confidential clients"
}

Note: Public clients (SPAs/Mobile) should use direct parameters with PKCE instead of JAR.

✅ JAR Approach (REQUIRED for Confidential Clients)

// ✅ This is the ONLY way that works for confidential clients
const requestJWT = await createJAR({
  client_id: clientId,
  redirect_uri: redirectURI,
  response_type: 'code',
  scope: 'openid profile email',
  state: state,
  code_challenge: codeChallenge,
  code_challenge_method: 'S256',
  nonce: nonce,
  prompt: 'none',
  max_age: 1000
});

const authURL = `https://account.oten.com/v1/oauth/authorize?client_id=${clientId}&request=${requestJWT}`;

✅ PKCE Approach (REQUIRED for Public Clients)

// ✅ This is the ONLY way that works for public clients (SPAs/Mobile)
const authURL = new URL('https://account.oten.com/v1/oauth/authorize');
authURL.searchParams.set('client_id', clientId);
authURL.searchParams.set('response_type', 'code');
authURL.searchParams.set('redirect_uri', redirectURI);
authURL.searchParams.set('scope', 'openid profile email');
authURL.searchParams.set('state', state);
authURL.searchParams.set('code_challenge', codeChallenge);
authURL.searchParams.set('code_challenge_method', 'S256');

Quick Start

For immediate implementation:

Choose your method:
- HS256: Use your client secret (easier)
- EdDSA: Generate key pair (more secure)
Get complete examples:
- See JAR Complete Implementation Guide
- Copy working code for your language
Test your implementation:
- Use development environment first
- Verify JAR structure with debugging tools

Migration from Standard OAuth

If you're currently using traditional OAuth 2.0:

What Changes

Before: Send OAuth parameters as URL query parameters
After: Send OAuth parameters inside a signed JWT

Migration Steps

Keep your existing OAuth flow logic
Add JAR creation step before authorization redirect
Replace query parameters with JAR token

Example Migration

// Before: Traditional OAuth
const authURL = `https://account.oten.com/v1/oauth/authorize?client_id=${clientId}&redirect_uri=${redirectURI}&response_type=code&scope=openid profile email&state=${state}`;

// After: JAR Required
const requestJWT = await createJAR(authParams);
const authURL = `https://account.oten.com/v1/oauth/authorize?client_id=${clientId}&request=${requestJWT}`;

For complete migration examples, see JAR Complete Implementation Guide

Common JAR Errors

If you encounter errors, check these common issues:

Error

Quick Fix

invalid_request (Missing request parameter)

You're missing request parameter - implement JAR

invalid_request_object

Check your signing algorithm and keys

invalid_request (JAR expired)

Set JAR expiration to ≤ 5 minutes

For detailed error troubleshooting, see Common Errors

Quick Validation

Before testing, ensure:

JAR contains all OAuth parameters
JAR is signed with HS256 or EdDSA
JAR expiration ≤ 5 minutes
Authorization URL only has client_id and request parameters

For complete validation checklist, see JAR Complete Implementation Guide

Prerequisites - JAR setup requirements
JAR Complete Implementation Guide - Detailed examples in multiple languages
Step 3: Authorization Flow - Complete JAR implementation
Configuration Reference - Endpoints and settings
Common Errors - JAR-related error troubleshooting

← Previous: Prerequisites - Environment setup
↑ Overview: Integration Flow Overview - See the big picture
→ Next: Step 1: Choose OAuth Library - Select JAR-compatible library

Remember:

JAR is required for confidential clients
PKCE is required for public clients
JAR is forbidden for public clients

Alternative for Legacy Applications

Oten IDP supports JAR only by default. However, if your application cannot implement JAR due to technical constraints, please contact our support team to enable traditional OAuth flow for your specific use case.

📧 Contact Support: [email protected]

Include in your request:

Application details and technical constraints
Reason why JAR cannot be implemented
Security measures you have in place
Timeline for potential JAR migration

Security Notice: Traditional OAuth flow has lower security compared to JAR. It should only be used as a temporary solution while planning JAR implementation.

PreviousDiscovery Configuration NextJAR Complete Implementation Guide

Last updated 3 months ago