5.2.1. URI Referencing the Request Object

The client stores the Request Object resource either locally or remotely at a URI the authorization server can access. Such a facility may be provided by the authorization server or a trusted third party. For example, the authorization server may provide a URL to which the client POSTs the Request Object and obtains the Request URI. This URI is the Request Object URI, request_uri.

It is possible for the Request Object to include values that are to be revealed only to the authorization server. As such, the request_uri MUST have appropriate entropy for its lifetime so that the URI is not guessable if publicly retrievable. For the guidance, refer to Section 5.1.4.2.2 of [RFC6819] and "Good Practices for Capability URLs" [CapURLs]. It is RECOMMENDED that the request_uri be removed after a reasonable timeout unless access control measures are taken.

The following is an example of a Request Object URI value (with line wraps within values for display purposes only). In this example, a trusted third-party service hosts the Request Object.

https://tfp.example.org/request.jwt/
  GkurKxf5T0Y-mnPFCHqWOMiZi4VS138cQO_V7PZHAdM

5.2.1. URI Referencing the Request Object​

5.2.1. URI Referencing the Request Object