docs: add request object doc

[ossdhaval]

Prepare

• Read PR guidelines
• Read license information

---

Description

Target issue

closes #4731

Implementation Details

---

Test and Document the changes

• Static code analysis has been run locally and issues have been fixed
• Relevant unit and integration tests have been added/updated
• Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

• I confirm that there is no impact on the docs due to the code changes in this PR.

Summary by CodeRabbit

• Documentation
  • Added a "Using Request Objects" section to the authorization endpoint docs, explaining how JWT parameters can be provided by value or by reference.
  • Published comprehensive OpenID Connect Request Objects guidance: claim precedence, validation and discovery rules, signing/encryption expectations, error responses, configuration options, client metadata, and related provider metadata details.

[mo-auto]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 8ebf70b5-22f5-49d3-8d5e-aa3e2925d975

📥 Commits

Reviewing files that changed from the base of the PR and between e38b937 and f9d5df3.

📒 Files selected for processing (1)

• docs/janssen-server/auth-server/openid-features/request-objects.md

---

📝 Walkthrough

Walkthrough

Adds comprehensive Request Objects documentation and a short authorization-endpoint cross-reference: explains request/request_uri usage, by-value/by-reference handling, signing/encryption rules, validation, server/client configuration, error responses, metadata, and related links.

Changes

OpenID Connect Request Objects Documentation

Layer / File(s)	Summary
Authorization endpoint cross-reference docs/janssen-server/auth-server/endpoints/authorization.md	Added a "Using Request Objects" section explaining request and request_uri parameters and linking to the Request Objects documentation.
Request Objects concept and protocol docs/janssen-server/auth-server/openid-features/request-objects.md	Introduced the Request Objects feature and core protocol rules, including required OAuth parameters and JWT claim supersession.
Request Object by reference handling docs/janssen-server/auth-server/openid-features/request-objects.md	Documented request_uri discovery/usage, HTTPS expectations, fetched-JWT vs URL parameter precedence, fragment/hash verification, and examples.
Signing and encryption semantics docs/janssen-server/auth-server/openid-features/request-objects.md	Specified nested JWS-in-JWE signing-then-encryption, verification/decryption expectations, five-segment JWE enforcement, and forced-signed behavior.
Error responses and request-object-specific codes docs/janssen-server/auth-server/openid-features/request-objects.md	Added Request Object–specific error response table and noted standard authorization errors remain applicable.
Server configuration and properties docs/janssen-server/auth-server/openid-features/request-objects.md	Documented server properties: enable/disable flags, supported signing/encryption algs, enforcement toggles, hash verification, blocklist, and FAPI checks.
Client configuration and discovery metadata docs/janssen-server/auth-server/openid-features/request-objects.md	Documented per-client metadata (request_object_signing_alg, alg/enc, request_uris), example registration, OpenID Provider Metadata claims, and Janssen JWKS URL.
Related documentation links docs/janssen-server/auth-server/openid-features/request-objects.md	Added cross-references to authorization endpoint, PAR, client configuration, server properties, and security best practices documentation.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Suggested reviewers

• yuriyz
• manojs1978

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'docs: add request object doc' clearly and concisely describes the main change: adding documentation for the Request Object feature.
Description check	✅ Passed	The PR description includes the target issue (#4731), follows the template structure, and confirms documentation updates with the required checklist item selected.
Linked Issues check	✅ Passed	The PR successfully implements all objectives from issue #4731: comprehensive Request Object documentation covering definitions, OpenID Connect concepts, Janssen-specific configuration properties, algorithms, validation rules, and error handling.
Out of Scope Changes check	✅ Passed	All changes are scoped to documentation for the Request Object feature; the PR adds a new section in authorization.md and comprehensive content in request-objects.md, both directly supporting the linked issue objectives.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch docs-request-object

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/janssen-server/auth-server/openid-features/request-objects.md`:
- Around line 160-161: Add step-by-step CLI and TUI guidance plus screenshots to
the "Configure global Request Object settings" section that currently only
references Janssen TUI / Config API; specifically, include an example CLI
sequence using the Janssen config-api client (showing the exact command(s) to
set request object properties), a TUI walkthrough labeled "Auth Server ->
Properties -> Request Objects" with 3 annotated screenshots (open list, edit
modal, save/confirm), and a short example JSON payload for the Config API call
to mirror the CLI/TUI change. Update the text around the existing "Janssen TUI"
and "Auth Server -> Properties" references to link to the new screenshots and
the Config API example so readers can follow either path.
- Line 194: Replace the camelCase server property name with the discovery claim
name: change any occurrences of "requireRequestUriRegistration" to the discovery
claim "require_request_uri_registration" in the request_uris table/description
(and the nearby occurrences noted around lines 219-222) so the doc consistently
references the runtime discovery metadata key used by clients and discovery
responses.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: f135f480-a167-4bed-a945-e4debf3b4327

📥 Commits

Reviewing files that changed from the base of the PR and between 92b8739 and e38b937.

📒 Files selected for processing (2)

• docs/janssen-server/auth-server/endpoints/authorization.md
• docs/janssen-server/auth-server/openid-features/request-objects.md