gravitational · rhammonds-teleport · Aug 25, 2025 · Aug 22, 2025
diff --git a/api/proto/teleport/legacy/types/types.proto b/api/proto/teleport/legacy/types/types.proto
@@ -5194,6 +5194,12 @@ message OIDCConnectorMFASettings {
   // 0 to always force re-authentication for MFA checks. This should only be set to a non-zero
   // value if the IdP is setup to perform MFA checks on top of active user sessions.
   int64 max_age = 6 [(gogoproto.casttype) = "Duration"];
+  // RequestObjectMode determines how JWT-Secured Authorization Requests will be used for authorization
+  // requests. JARs, or request objects, can provide integrity protection, source authentication, and confidentiality
+  // for authorization request parameters. If omitted, MFA flows will default to the `RequestObjectMode` behavior
+  // specified in the base OIDC connector. Set this property to 'none' to explicitly disable request objects for
+  // the MFA client.
+  string RequestObjectMode = 7 [(gogoproto.jsontag) = "request_object_mode,omitempty"];
 }
 
 // OIDCAuthRequest is a request to authenticate with OIDC

diff --git a/api/types/oidc.go b/api/types/oidc.go
@@ -550,6 +550,12 @@ func (o *OIDCConnectorV3) WithMFASettings() error {
 	o.Spec.ClientSecret = o.Spec.MFASettings.ClientSecret
 	o.Spec.ACR = o.Spec.MFASettings.AcrValues
 	o.Spec.Prompt = o.Spec.MFASettings.Prompt
+	// Overwrite the base connector's request object mode iff the MFA setting's
+	// request object mode is explicitly set. Otherwise, the base setting should be assumed.
+	if o.Spec.MFASettings.RequestObjectMode != string(constants.OIDCRequestObjectModeUnknown) {
+		o.Spec.RequestObjectMode = o.Spec.MFASettings.RequestObjectMode
+	}
+
 	// In rare cases, some providers will complain about the presence of the 'max_age'
 	// parameter in auth requests. Provide users with a workaround to omit it.
 	omitMaxAge, _ := strconv.ParseBool(os.Getenv("TELEPORT_OIDC_OMIT_MFA_MAX_AGE"))

diff --git a/api/types/types.pb.go b/api/types/types.pb.go
diff --git a/docs/pages/reference/operator-resources/resources-teleport-dev-oidcconnectors.mdx b/docs/pages/reference/operator-resources/resources-teleport-dev-oidcconnectors.mdx
@@ -74,4 +74,5 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |enabled|boolean|Enabled specified whether this OIDC connector supports MFA checks. Defaults to false.|
 |max_age|string|MaxAge is the amount of time in nanoseconds that an IdP session is valid for. Defaults to 0 to always force re-authentication for MFA checks. This should only be set to a non-zero value if the IdP is setup to perform MFA checks on top of active user sessions.|
 |prompt|string|Prompt is an optional OIDC prompt. An empty string omits prompt. If not specified, it defaults to select_account for backwards compatibility.|
+|request_object_mode|string|RequestObjectMode determines how JWT-Secured Authorization Requests will be used for authorization requests. JARs, or request objects, can provide integrity protection, source authentication, and confidentiality for authorization request parameters. If omitted, MFA flows will default to the `RequestObjectMode` behavior specified in the base OIDC connector. Set this property to 'none' to explicitly disable request objects for the MFA client.|
 
diff --git a/docs/pages/reference/terraform-provider/data-sources/oidc_connector.mdx b/docs/pages/reference/terraform-provider/data-sources/oidc_connector.mdx
@@ -78,6 +78,7 @@ Optional:
 - `enabled` (Boolean) Enabled specified whether this OIDC connector supports MFA checks. Defaults to false.
 - `max_age` (String) MaxAge is the amount of time in nanoseconds that an IdP session is valid for. Defaults to 0 to always force re-authentication for MFA checks. This should only be set to a non-zero value if the IdP is setup to perform MFA checks on top of active user sessions.
 - `prompt` (String) Prompt is an optional OIDC prompt. An empty string omits prompt. If not specified, it defaults to select_account for backwards compatibility.
+- `request_object_mode` (String) RequestObjectMode determines how JWT-Secured Authorization Requests will be used for authorization requests. JARs, or request objects, can provide integrity protection, source authentication, and confidentiality for authorization request parameters. If omitted, MFA flows will default to the `RequestObjectMode` behavior specified in the base OIDC connector. Set this property to 'none' to explicitly disable request objects for the MFA client.
 
 
 

diff --git a/docs/pages/reference/terraform-provider/resources/oidc_connector.mdx b/docs/pages/reference/terraform-provider/resources/oidc_connector.mdx
@@ -108,6 +108,7 @@ Optional:
 - `enabled` (Boolean) Enabled specified whether this OIDC connector supports MFA checks. Defaults to false.
 - `max_age` (String) MaxAge is the amount of time in nanoseconds that an IdP session is valid for. Defaults to 0 to always force re-authentication for MFA checks. This should only be set to a non-zero value if the IdP is setup to perform MFA checks on top of active user sessions.
 - `prompt` (String) Prompt is an optional OIDC prompt. An empty string omits prompt. If not specified, it defaults to select_account for backwards compatibility.
+- `request_object_mode` (String) RequestObjectMode determines how JWT-Secured Authorization Requests will be used for authorization requests. JARs, or request objects, can provide integrity protection, source authentication, and confidentiality for authorization request parameters. If omitted, MFA flows will default to the `RequestObjectMode` behavior specified in the base OIDC connector. Set this property to 'none' to explicitly disable request objects for the MFA client.
 
 
 

diff --git a/...cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_oidcconnectors.yaml b/...cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_oidcconnectors.yaml
@@ -151,6 +151,15 @@ spec:
                       omits prompt. If not specified, it defaults to select_account
                       for backwards compatibility.
                     type: string
+                  request_object_mode:
+                    description: RequestObjectMode determines how JWT-Secured Authorization
+                      Requests will be used for authorization requests. JARs, or request
+                      objects, can provide integrity protection, source authentication,
+                      and confidentiality for authorization request parameters. If
+                      omitted, MFA flows will default to the `RequestObjectMode` behavior
+                      specified in the base OIDC connector. Set this property to 'none'
+                      to explicitly disable request objects for the MFA client.
+                    type: string
                 type: object
               prompt:
                 description: Prompt is an optional OIDC prompt. An empty string omits

diff --git a/integrations/operator/config/crd/bases/resources.teleport.dev_oidcconnectors.yaml b/integrations/operator/config/crd/bases/resources.teleport.dev_oidcconnectors.yaml
@@ -151,6 +151,15 @@ spec:
                       omits prompt. If not specified, it defaults to select_account
                       for backwards compatibility.
                     type: string
+                  request_object_mode:
+                    description: RequestObjectMode determines how JWT-Secured Authorization
+                      Requests will be used for authorization requests. JARs, or request
+                      objects, can provide integrity protection, source authentication,
+                      and confidentiality for authorization request parameters. If
+                      omitted, MFA flows will default to the `RequestObjectMode` behavior
+                      specified in the base OIDC connector. Set this property to 'none'
+                      to explicitly disable request objects for the MFA client.
+                    type: string
                 type: object
               prompt:
                 description: Prompt is an optional OIDC prompt. An empty string omits

diff --git a/integrations/terraform/tfschema/types_terraform.go b/integrations/terraform/tfschema/types_terraform.go