As noted in this RFE: https://bugster.forgerock.org/jira/browse/OPENAM-16806
AM supports the JAR specification as defined here:
This specification allows for an object to be passed by reference, the reference being stored in request_uri on the client configuration.
Before using this request_uri i.e. https://tfp.example.org/request.jwt/GkurKxf5T0Y-mnPFCHqWOMiZi4VS138cQO_V7PZHAdM, the value must be pre-registered with the Authorization server, in this case AM.
The intent behind this is to ensure risks outlined here https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-20#section-10.4 are mitigated when next the client calls the authorization endpoint with this value i.e:
This implementation has a major issue
- The request object will at some time expire and therefore be removed from the third party resource containing the request object, subsequently the request_uri should be removed or the client configuration size will continue to grow.
The CDR specification for example dictates that :
- The Request URI MUST expire between 10 seconds and 90 seconds