Skip to content

Pushed Authorization Request (PAR)

The Pushed Authorization Request (PAR) is a method for the client to send the authorization request parameters to the OIDC Provider server in a back-channel request.

This is useful for several reasons:

  • The client can send sensitive information directly to the authorization server, without exposing it to the user agent.
  • The OIDC Provider can ensure that the request parameters is not tampered with. E.g. when using private_key_jwt the JWT signature can be verified.
  • URL length limitations are avoided, as the request is sent in the body of the request.

Steps

  1. The client sends a back-channel request with the standard authorization parameters to the OIDC Provider.
  2. The OIDC Provider validates the request and returns a reference to the client.
  3. The client sends the reference to the user agent through the regular Authorize request.
  4. The Authorization Code flow continues as normal and end-user authenticates...

API

Note

You will always find the up-to-date URL for the PAR endpoint in the OpenID Configuration - as pushed_authorization_request_endpoint.

1. Create Pushed Authorization Request

Request

POST [pushed_authorization_request_endpoint]
Headers
Content-Type: application/x-www-form-urlencoded
Authentication

Client authentication according to supported methods.

Body

The body of the request contains the parameters of the authorization request, form encoded.

client_id=myclient-bankid-current
&scope=openid+profile
&redirect_uri=https%3A%2F%2Fmywebapp.example.org%2Fcallback
&response_type=code
&state=01e3ac8e-4a26-4dfb-79ca-2631394c4144
&nonce=1fb72f68-1bea-2ba2-12d7-24df1c999d1b

The content of the body parameters is the same as authorize parameters.

Response

Status
201 Created
Headers
Content-Type: application/json
Body

The response is a JSON structure containing the reference to the request object.

{
  "request_uri": "urn:ietf:params:oauth:request_uri:12627496-8a05-4e3d-a04c-9478fc9c456b",
  "expires_in": 300
}

2. Authorization Request with Request URI

Request

GET [authorization_endpoint]
?client_id=myclient-bankid-current
&request_uri=urn:ietf:params:oauth:request_uri:12627496-8a05-4e3d-a04c-9478fc9c456b

Response

After a series of redirects that will eventually lead back to the redirect_uri specified in the request, the response is delivered in the method specified by the response_mode parameter in the request.

This is the same as the Authorize response.