gravitational · rhammonds-teleport · Aug 13, 2025 · Jun 18, 2025 · Jul 14, 2025 · Jul 15, 2025
diff --git a/api/constants/constants.go b/api/constants/constants.go
@@ -198,6 +198,20 @@ const (
 	OIDCPKCEModeDisabled OIDCPKCEMode = "disabled"
 )
 
+// OIDCRequestObjectMode represents the Request Object Mode of an OIDC Connector.
+type OIDCRequestObjectMode string
+
+const (
+	// OIDCRequestObjectModeUnknown indicates an unknown or uninitialized state of the request object mode.
+	OIDCRequestObjectModeUnknown OIDCRequestObjectMode = ""
+	// OIDCRequestObjectModeNone indicates that request objects should not be used. Parameters should be encoded
+	// into the URI of the authorization request.
+	OIDCRequestObjectModeNone OIDCRequestObjectMode = "none"
+	// OIDCRequestObjectModeSigned indicates that a signed (unencrypted) request object should be encoded into
+	// the URI of the authorization request.
+	OIDCRequestObjectModeSigned OIDCRequestObjectMode = "signed"
+)
+
 // SecondFactorType is the type of 2FA authentication.
 type SecondFactorType string
 

diff --git a/api/proto/teleport/legacy/types/types.proto b/api/proto/teleport/legacy/types/types.proto
@@ -5294,6 +5294,10 @@ message OIDCConnectorSpecV3 {
   // UserMatchers is a set of glob patterns to narrow down which username(s) this auth connector should
   // match for identifier-first login.
   repeated string UserMatchers = 21 [(gogoproto.jsontag) = "user_matchers,omitempty"];
+  // RequestObjectMode determines how JWT-Secured Authorization Requests will be used for authorization
+  // requests. JARs, or request objects, can provide integrity protection, source authentication, and confidentiality
+  // for authorization request parameters.
+  string RequestObjectMode = 22 [(gogoproto.jsontag) = "request_object_mode,omitempty"];
 }
 
 // MaxAge allows the max_age parameter to be nullable to preserve backwards

diff --git a/api/types/oidc.go b/api/types/oidc.go
@@ -124,6 +124,10 @@ type OIDCConnector interface {
 	// GetUserMatchers returns the set of glob patterns to narrow down which username(s) this auth connector should
 	// match for identifier-first login.
 	GetUserMatchers() []string
+	// GetRequestObjectMode will return the RequestObjectMode of the connector.
+	GetRequestObjectMode() constants.OIDCRequestObjectMode
+	// SetRequestObjectMode sets the RequestObjectMode of the connector.
+	SetRequestObjectMode(mode constants.OIDCRequestObjectMode)
 	// SetUserMatchers sets the set of glob patterns to narrow down which username(s) this auth connector should match
 	// for identifier-first login.
 	SetUserMatchers([]string)
@@ -586,6 +590,16 @@ func (r *OIDCConnectorV3) GetUserMatchers() []string {
 	return r.Spec.UserMatchers
 }
 
+// GetRequestObjectMode returns the configured OIDC request object mode.
+func (r *OIDCConnectorV3) GetRequestObjectMode() constants.OIDCRequestObjectMode {
+	return constants.OIDCRequestObjectMode(r.Spec.RequestObjectMode)
+}
+
+// SetRequestObjectMode sets the OIDC request object mode.
+func (r *OIDCConnectorV3) SetRequestObjectMode(mode constants.OIDCRequestObjectMode) {
+	r.Spec.RequestObjectMode = string(mode)
+}
+
 // SetUserMatchers sets the set of glob patterns to narrow down which username(s) this auth connector should match
 // for identifier-first login.
 func (r *OIDCConnectorV3) SetUserMatchers(userMatchers []string) {

diff --git a/api/types/types.pb.go b/api/types/types.pb.go
diff --git a/docs/pages/reference/operator-resources/resources-teleport-dev-oidcconnectors.mdx b/docs/pages/reference/operator-resources/resources-teleport-dev-oidcconnectors.mdx
@@ -46,6 +46,7 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |prompt|string|Prompt is an optional OIDC prompt. An empty string omits prompt. If not specified, it defaults to select_account for backwards compatibility.|
 |provider|string|Provider is the external identity provider.|
 |redirect_url|[]string|RedirectURLs is a list of callback URLs which the identity provider can use to redirect the client back to the Teleport Proxy to complete authentication. This list should match the URLs on the provider's side. The URL used for a given auth request will be chosen to match the requesting Proxy's public address. If there is no match, the first url in the list will be used.|
+|request_object_mode|string|RequestObjectMode determines how JWT-Secured Authorization Requests will be used for authorization requests. JARs, or request objects, can provide integrity protection, source authentication, and confidentiality for authorization request parameters.|
 |scope|[]string|Scope specifies additional scopes set by provider.|
 |user_matchers|[]string|UserMatchers is a set of glob patterns to narrow down which username(s) this auth connector should match for identifier-first login.|
 |username_claim|string|UsernameClaim specifies the name of the claim from the OIDC connector to be used as the user's username.|

diff --git a/docs/pages/reference/terraform-provider/data-sources/oidc_connector.mdx b/docs/pages/reference/terraform-provider/data-sources/oidc_connector.mdx
@@ -48,6 +48,7 @@ Optional:
 - `prompt` (String) Prompt is an optional OIDC prompt. An empty string omits prompt. If not specified, it defaults to select_account for backwards compatibility.
 - `provider` (String) Provider is the external identity provider.
 - `redirect_url` (List of String) RedirectURLs is a list of callback URLs which the identity provider can use to redirect the client back to the Teleport Proxy to complete authentication. This list should match the URLs on the provider's side. The URL used for a given auth request will be chosen to match the requesting Proxy's public address. If there is no match, the first url in the list will be used.
+- `request_object_mode` (String) RequestObjectMode determines how JWT-Secured Authorization Requests will be used for authorization requests. JARs, or request objects, can provide integrity protection, source authentication, and confidentiality for authorization request parameters.
 - `scope` (List of String) Scope specifies additional scopes set by provider.
 - `user_matchers` (List of String) UserMatchers is a set of glob patterns to narrow down which username(s) this auth connector should match for identifier-first login.
 - `username_claim` (String) UsernameClaim specifies the name of the claim from the OIDC connector to be used as the user's username.

diff --git a/docs/pages/reference/terraform-provider/resources/oidc_connector.mdx b/docs/pages/reference/terraform-provider/resources/oidc_connector.mdx
@@ -81,6 +81,7 @@ Optional:
 - `prompt` (String) Prompt is an optional OIDC prompt. An empty string omits prompt. If not specified, it defaults to select_account for backwards compatibility.
 - `provider` (String) Provider is the external identity provider.
 - `redirect_url` (List of String) RedirectURLs is a list of callback URLs which the identity provider can use to redirect the client back to the Teleport Proxy to complete authentication. This list should match the URLs on the provider's side. The URL used for a given auth request will be chosen to match the requesting Proxy's public address. If there is no match, the first url in the list will be used.
+- `request_object_mode` (String) RequestObjectMode determines how JWT-Secured Authorization Requests will be used for authorization requests. JARs, or request objects, can provide integrity protection, source authentication, and confidentiality for authorization request parameters.
 - `scope` (List of String) Scope specifies additional scopes set by provider.
 - `user_matchers` (List of String) UserMatchers is a set of glob patterns to narrow down which username(s) this auth connector should match for identifier-first login.
 - `username_claim` (String) UsernameClaim specifies the name of the claim from the OIDC connector to be used as the user's username.

diff --git a/...cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_oidcconnectors.yaml b/...cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_oidcconnectors.yaml
@@ -174,6 +174,12 @@ spec:
                 items:
                   type: string
                 type: array
+              request_object_mode:
+                description: RequestObjectMode determines how JWT-Secured Authorization
+                  Requests will be used for authorization requests. JARs, or request
+                  objects, can provide integrity protection, source authentication,
+                  and confidentiality for authorization request parameters.
+                type: string
               scope:
                 description: Scope specifies additional scopes set by provider.
                 items:

diff --git a/integrations/operator/config/crd/bases/resources.teleport.dev_oidcconnectors.yaml b/integrations/operator/config/crd/bases/resources.teleport.dev_oidcconnectors.yaml
@@ -174,6 +174,12 @@ spec:
                 items:
                   type: string
                 type: array
+              request_object_mode:
+                description: RequestObjectMode determines how JWT-Secured Authorization
+                  Requests will be used for authorization requests. JARs, or request
+                  objects, can provide integrity protection, source authentication,
+                  and confidentiality for authorization request parameters.
+                type: string
               scope:
                 description: Scope specifies additional scopes set by provider.
                 items:

diff --git a/integrations/terraform/tfschema/types_terraform.go b/integrations/terraform/tfschema/types_terraform.go