Signed request object

Hello!

I am trying to use signed request objects in the authentication request, as described here in the OIDC spec.

I created a client and uploaded my JWK public key, and then created a JWS and added it to the request parameter:

https://dev-xxxxxxxx.okta.com/oauth2/v1/authorize?client_id=<client_id>&response_type=code&scope=openid&request=<jws>

The JWS payload contains all required parameters:

{
  "client_id": <client_id>,
  "response_type": "code",
  "scope": "openid profile",
  "redirect_uri": <redirect_uri>,
  "state": "some state",
  "nonce": "some nonce",
  "iss": <client_id>,
  "aud": "https://dev-xxxxxxxx.okta.com",
}

But this returns an error:
“The request contained multiple parameters with the same name.”

If I remove all parameters except request it works a expected. However, according to the OIDC spec:

So that the request is a valid OAuth 2.0 Authorization Request, values for the response_type and client_id parameters MUST be included using the OAuth 2.0 request syntax, since they are REQUIRED by OAuth 2.0. The values for these parameters MUST match those in the Request Object, if present.

Even if a scope parameter is present in the Request Object value, a scope parameter MUST always be passed using the OAuth 2.0 request syntax containing the openid scope value to indicate to the underlying OAuth 2.0 logic that this is an OpenID Connect request.

Am I missing something here? It’s not a huge deal since the workaround is very simple, but I would prefer to be able to do this according to the specification as I’m trying to create a generic library that will work with any OIDC provider .

Thanks.

this looks to be a behavior that needs to be corrected in order to respect the OIDC spec
please send an email to developers@okta.com with these details so we can have a support case tied to the internal report as well