6.2. JWS-Signed Request Object

The authorization server MUST validate the signature of the JWS-signed [RFC7515] Request Object. If a kid Header Parameter is present, the key identified MUST be the key used and MUST be a key associated with the client. The signature MUST be validated using a key associated with the client and the algorithm specified in the alg Header Parameter. Algorithm verification MUST be performed, as specified in Sections 3.1 and 3.2 of [RFC8725].

If the key is not associated with the client or if signature validation fails, the authorization server MUST return an invalid_request_object error to the client in response to the authorization request.

6.2. JWS-Signed Request Object​

6.2. JWS-Signed Request Object