PAR - Pushed Authorization Request on the AS/OP

Pushed Authorization Request is a standard in OAuth 2.0 and specified in RFC 9126 - OAuth 2.0 Pushed Authorization Requests.

The purpose of PAR is to allow a client to push authorization request parameters directly to the authorization server. This avoids exposing these parameters to the user agent (i.e. a browser on the end-users system) and reduces the potential attack surface.

  • Authenticity and integrity of request parameters is ensured.
  • Confidentiality of requests parameters is guaranteed.
  • Potential problems with overlong request URLs are avoided.

PAR protocol

When PAR is configured in the authorization server, the PAR endpoint will be published as pushed_authorization_request_endpoint in the discovery document.

A client sends an authenticated request to this PAR endpoint of the authorization server to register an authorization request.

The authorization server responds to the client with a URI identifying the PAR request (request_uri).

The client can start the authorization code flow with client_id and request_uri as the only parameters.

Database storage of PAR requests

The authorization server persists the authorization request parameters from when the client pushes them until they are needed again when the user-agent starts the authorization code flow. This requires a database table called OAUTH2_PAR_REQUEST in the database.

Every time an authorization code flow is started, the PAR entry in the database is deleted. It is still possible that unconsumed PAR requests accumulate in the database and a clean-up job is provided for regular housekeeping.

Migration from IAM 8.2 or older

To use PAR as an authorization server, a database migration is required to add the new table.

To migrate the database schema from IAM 8.2 or older, use the migration scripts provided in Relational databases for IAM.

Make sure that the OAuth 2.0 Clean-up Task is enabled since the clean-up of PAR requests is an integral part of this task.