AccueilGlossaire › JARM (JWT Secured Authorization Response Mode)

JARM (JWT Secured Authorization Response Mode)

Identité

OAuth extension signant authorization response via JWT pour intégrité.

JARM (JWT Secured Authorization Response Mode) est l'extension OAuth signant la authorization RESPONSE (le redirect back from IdP avec authorization code) dans un JWT, complementing JAR (signed REQUEST). Ensures end-to-end integrity et authenticity de la response — client verify response really came from IdP, parameters not tampered.

Problème résolu : standard OAuth response is `?code=abc&state=xyz` in URL — params can be tampered in transit, browser extensions, malicious proxies. JARM wraps response in signed JWT, verifiable by client.

Workflow :
(1) Client request authorization with `response_mode=jwt` (or query.jwt, fragment.jwt, form_post.jwt).
(2) User auths at IdP.
(3) IdP redirects back avec `?response=<JWT>` (query.jwt example).
(4) Client decodes JWT, verifies signature (using IdP's published JWKS), extracts authorization code, state, error if any.
(5) Client proceeds with token exchange.

Forces :
(1) **Integrity** — code/state/error tamper-evident.
(2) **Issuer authenticity** — signed by IdP key.
(3) **Mix-up attack prevention** — JWT iss claim binds response to specific IdP (defeats multi-IdP confusion attacks).
(4) **Replay protection** — exp claim limits validity.
(5) **Audience binding** — aud claim ensures response intended for specific client.

Combiné avec JAR + PAR + DPoP = full FAPI 2.0 security stack. Each component closes specific attack vectors.

Response modes options :
- `query.jwt` — JWT in query string.
- `fragment.jwt` — JWT in URL fragment (#).
- `form_post.jwt` — JWT in form POST body.
- Default jwt picks based on response_type.

Use cases : FAPI 2.0, Open Banking, financial-grade compliance, healthcare interop, government identity. Niche outside high-security verticals.

Library support :
- **node-openid-client** — JARM support.
- **Spring Security** — JARM extensions.
- **Authlete, Okta, ForgeRock, Curity IdPs** — JARM-capable.

Voir aussi JAR (request side), PAR (pushed request), DPoP (token possession), FAPI (full profile). Compétences SC-300.

Certifications qui couvrent ce concept
SC-300 AZ-500
Termes liés
JAR (JWT-Secured Authorization Request) PAR (Pushed Authorization Requests) FAPI (Financial-grade API) JWT (JSON Web Token)

Préparez vos certifications IT gratuitement

200+ certifications, 400 000+ questions, examens blancs chronométrés.

Voir le catalogue →
← Retour au glossaire