An OpenID Connect authorisation request protected by a digital signature so its parameters cannot be altered in transit. The signature preserves request integrity, which is valuable when access decisions depend on exact client intent, scope, or redirect behaviour.
Expanded Definition
A Signed openid connect Request is an OpenID Connect authorisation request that is digitally signed so the relying party can verify who created it and whether the parameters were changed before arrival. In practice, that means values such as client_id, scope, redirect_uri, nonce, and response_type are protected from tampering once the request leaves the client.
In the NHI and agentic AI domain, this matters because autonomous software often initiates login flows programmatically, and those flows may be replayed, brokered, or routed through intermediaries. A signed request helps preserve intent when the organisation needs stronger assurance that a downstream identity provider received the exact request the application issued. This is different from plain request parameters passed through a browser or from generic transport security, because the signature protects the request object itself rather than the network path alone. Standards usage is still evolving across vendors, especially where request signing is combined with encrypted request objects or pushed authorization requests. For background on the wider identity risk landscape, NHI Management Group’s Ultimate Guide to NHIs is a useful reference, alongside the NIST Cybersecurity Framework 2.0. The most common misapplication is treating a signed request as a substitute for client authentication, which occurs when teams rely on the signature alone without validating the client, redirect rules, and allowed claims.
Examples and Use Cases
Implementing signed requests rigorously often introduces extra key-management and validation overhead, requiring organisations to weigh stronger request integrity against added operational complexity.
- An AI agent starts an authorization flow for a backend service and signs the request so the identity provider can confirm the agent’s exact scope and redirect target.
- A financial platform uses signed request objects to reduce the risk of parameter injection when browser-based login flows pass through multiple intermediaries.
- A SaaS provider pairs signed requests with NIST Cybersecurity Framework 2.0 aligned access controls to preserve integrity for service-driven sign-ins.
- An enterprise NHI program references NHI Management Group’s Ultimate Guide to NHIs when deciding whether a service account should use signed requests for high-risk onboarding or step-up flows.
- A federation team uses signed authorization requests to ensure the consent screen reflects the same request that the application originally generated, not a modified version.
These use cases are strongest where exact request integrity is part of the trust decision, such as sensitive scopes, admin portals, or machine-initiated access that should never be silently broadened.
Why It Matters in NHI Security
Signed OpenID Connect requests reduce a subtle but important attack path: parameter tampering. Without a signature, an attacker or malicious intermediary can alter redirect behaviour, scopes, audience values, or login hints in ways that change what the identity provider authorizes. For NHIs, that risk is amplified because service accounts, bots, and AI agents often operate at scale, with automated login flows that are harder to inspect manually. NHI Management Group data shows that 97% of NHIs carry excessive privileges, which means a single modified request can have outsized impact if the resulting token inherits broad access. The same research also reports that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, underscoring why request integrity cannot be treated as optional.
Signed requests support governance by making authorization intent auditable and by narrowing the space for silent manipulation during federation. They are especially useful when requests move across proxies, embedded browsers, orchestration layers, or agent runtimes that introduce ambiguity about what was actually sent. Organisations typically encounter the consequences only after an unauthorized token is minted or an unexpected redirect is abused, at which point signed OpenID Connect requests become operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Addresses identity request integrity and misuse risks in non-human authentication flows. |
| NIST CSF 2.0 | PR.AC-1 | Identity proofing and access control rely on preserving the authenticity of authorization inputs. |
| NIST Zero Trust (SP 800-207) | Zero Trust requires continuous validation of access requests, including their integrity and provenance. |
Treat signed requests as one signal in a broader continuous verification path for every access attempt.
Related resources from NHI Mgmt Group
- What is OpenID Connect (OIDC) and how does it extend OAuth 2.0 for NHIs?
- Why does JWE matter in OAuth and OpenID Connect flows?
- What is the difference between SAML and OpenID Connect for enterprise access?
- Why do OAuth and OpenID Connect integrations create IAM risk even when they reduce password use?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 20, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
