# JAR Requirement - CRITICAL > 📖 **Getting started?** Check the [Integration Flow Overview](broken://pages/iMMrTD1lQOMbxxvheKAz) to understand the complete integration process. > > 🔧 **Need complete implementation guide?** See [JAR Complete Implementation Guide](broken://pages/Dh6xDgKUfcwFtlZAntPO) for detailed examples in multiple languages. ## JAR Requirements by Client Type **Oten Identity Provider has different requirements based on your client type:** ### Confidential Clients (Server-side applications) * **JAR is REQUIRED** for all authorization requests * Traditional OAuth 2.0 query parameters will be rejected * Must use HS256 or EdDSA signing ### Public Clients (SPAs/Mobile apps) * **JAR is FORBIDDEN** (cannot securely store signing keys) * **PKCE is REQUIRED** instead * Use direct authorization parameters * See [PKCE Implementation Guide](https://gitlab.silvertiger.tech/documents/idp/-/blob/main/developer-guide/pkce-implementation-guide.md) for details ### Why JAR is Required for Confidential Clients * **Security**: Prevents parameter tampering and injection attacks * **Integrity**: Ensures request parameters cannot be modified in transit * **Authentication**: Verifies the request comes from a legitimate client * **Key Management**: Confidential clients can securely store signing keys ### Supported Algorithms | Algorithm | Key Type | Use Case | | --------- | ---------------- | -------------------------- | | **HS256** | Client Secret | Development, Internal Apps | | **EdDSA** | Ed25519 Key Pair | Production, Public Apps | ## ❌ Traditional OAuth (REJECTED for Confidential Clients) ```javascript // ❌ This approach will be REJECTED for confidential clients const authURL = `https://account.oten.com/v1/oauth/authorize?client_id=${clientId}&redirect_uri=${redirectURI}&response_type=code&scope=openid profile email&state=${state}`; ``` **Error you'll get for confidential clients:** ```json { "error": "invalid_request", "error_description": "JAR (request parameter) is required for confidential clients" } ``` **Note**: Public clients (SPAs/Mobile) should use direct parameters with PKCE instead of JAR. ## ✅ JAR Approach (REQUIRED for Confidential Clients) ```javascript // ✅ This is the ONLY way that works for confidential clients const requestJWT = await createJAR({ client_id: clientId, redirect_uri: redirectURI, response_type: 'code', scope: 'openid profile email', state: state, code_challenge: codeChallenge, code_challenge_method: 'S256', nonce: nonce, prompt: 'none', max_age: 1000 }); const authURL = `https://account.oten.com/v1/oauth/authorize?client_id=${clientId}&request=${requestJWT}`; ``` ## ✅ PKCE Approach (REQUIRED for Public Clients) ```javascript // ✅ This is the ONLY way that works for public clients (SPAs/Mobile) const authURL = new URL('https://account.oten.com/v1/oauth/authorize'); authURL.searchParams.set('client_id', clientId); authURL.searchParams.set('response_type', 'code'); authURL.searchParams.set('redirect_uri', redirectURI); authURL.searchParams.set('scope', 'openid profile email'); authURL.searchParams.set('state', state); authURL.searchParams.set('code_challenge', codeChallenge); authURL.searchParams.set('code_challenge_method', 'S256'); ``` ## Quick Start **For immediate implementation:** 1. **Choose your method:** * **HS256**: Use your client secret (easier) * **EdDSA**: Generate key pair (more secure) 2. **Get complete examples:** * See [JAR Complete Implementation Guide](broken://pages/Dh6xDgKUfcwFtlZAntPO) * Copy working code for your language 3. **Test your implementation:** * Use development environment first * Verify JAR structure with debugging tools ## Migration from Standard OAuth If you're currently using traditional OAuth 2.0: ### What Changes * **Before**: Send OAuth parameters as URL query parameters * **After**: Send OAuth parameters inside a signed JWT ### Migration Steps 1. **Keep your existing OAuth flow logic** 2. **Add JAR creation step** before authorization redirect 3. **Replace query parameters** with JAR token ### Example Migration ```javascript // Before: Traditional OAuth const authURL = `https://account.oten.com/v1/oauth/authorize?client_id=${clientId}&redirect_uri=${redirectURI}&response_type=code&scope=openid profile email&state=${state}`; // After: JAR Required const requestJWT = await createJAR(authParams); const authURL = `https://account.oten.com/v1/oauth/authorize?client_id=${clientId}&request=${requestJWT}`; ``` **For complete migration examples, see** [**JAR Complete Implementation Guide**](broken://pages/Dh6xDgKUfcwFtlZAntPO) ## Common JAR Errors If you encounter errors, check these common issues: | Error | Quick Fix | | --------------------------------------------- | ------------------------------------------------ | | `invalid_request` (Missing request parameter) | You're missing request parameter - implement JAR | | `invalid_request_object` | Check your signing algorithm and keys | | `invalid_request` (JAR expired) | Set JAR expiration to ≤ 5 minutes | **For detailed error troubleshooting, see** [**Common Errors**](broken://pages/ChQqcK8cqX9LLgyQtBJT) ## Quick Validation Before testing, ensure: * [ ] JAR contains all OAuth parameters * [ ] JAR is signed with HS256 or EdDSA * [ ] JAR expiration ≤ 5 minutes * [ ] Authorization URL only has `client_id` and `request` parameters **For complete validation checklist, see** [**JAR Complete Implementation Guide**](broken://pages/Dh6xDgKUfcwFtlZAntPO) ## Related Documentation * [Prerequisites](broken://pages/qErS2kM8hpRocnYPaDQW) - JAR setup requirements * [JAR Complete Implementation Guide](broken://pages/Dh6xDgKUfcwFtlZAntPO) - Detailed examples in multiple languages * [Step 3: Authorization Flow](broken://pages/1zKgOda9hrWwNX8K6Zea) - Complete JAR implementation * [Configuration Reference](broken://pages/XsyPoCRDPUpz0vcP6KkD) - Endpoints and settings * [Common Errors](broken://pages/ChQqcK8cqX9LLgyQtBJT) - JAR-related error troubleshooting *** ## 🧭 Navigation * **← Previous**: [Prerequisites](broken://pages/qErS2kM8hpRocnYPaDQW) - Environment setup * **↑ Overview**: [Integration Flow Overview](broken://pages/iMMrTD1lQOMbxxvheKAz) - See the big picture * **→ Next**: [Step 1: Choose OAuth Library](broken://pages/CuJNdfiNnGHuqh7gDIK2) - Select JAR-compatible library *** **Remember**: * JAR is **required** for confidential clients * PKCE is **required** for public clients * JAR is **forbidden** for public clients ## Alternative for Legacy Applications **Oten IDP supports JAR only by default.** However, if your application cannot implement JAR due to technical constraints, please contact our support team to enable traditional OAuth flow for your specific use case. 📧 **Contact Support**: **Include in your request:** * Application details and technical constraints * Reason why JAR cannot be implemented * Security measures you have in place * Timeline for potential JAR migration **Security Notice**: Traditional OAuth flow has lower security compared to JAR. It should only be used as a temporary solution while planning JAR implementation. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://oten.gitbook.io/identity-support/integration/prerequisites/jar-requirement-critical.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.