Pushed Authorization Requests (PAR)
Pushed Authorization Requests (PAR) is an extension for OpenID Connect and OAuth, as detailed in https://datatracker.ietf.org/doc/html/rfc9126.
PAR has the following advantages:
- Mitigates issues caused by exceeding the max URL length or passing too many and/or too long URL request parameters in your request. When using PAR, you only include a short
request_uriparameter as a reference. - Improves security, similarly to Encryption/signing of the request object, but in a simpler and more elegant fashion. With PAR, you prevent the end-users (or bad actors) from seeing or tampering with the URL request parameters.
How PAR works
To use PAR in your OIDC application, you need to:
- Send a backend request (with the request parameters) to the PAR endpoint. You receive the
request_uriin the response. - Then, change your requests to the
authorizeendpoint to include therequest_uriparameter, instead of passing URL request parameters.
When using PAR, you specify the payload of the authorization request in the first request to the par endpoint. Then, you pass only the reference to the request_uri in the request to the authorize endpoint.
Prerequisites
There is no additional configuration to use PAR on a per-request basis.
How to enforce PAR in the Dashboard
If you want to use PAR only on a per-request basis, you may skip this step.
Optionally, you can configure your OIDC client to always require PAR. To do this:
- In the Signicat Dashboard, navigate to Products > eID Hub > OIDC clients.
- Choose the OIDC client and select Edit. If you haven't created a client yet, see Set up an OIDC client.
- In the Advanced > Security tab, tick the Requires Pushed Authorization Requests (PAR) box.
Note: The client now requires PAR in every authorization request. Requests without using PAR will fail.
Implementation
Implementing PAR changes your typical OIDC flow in the following way:
- You must make a backend call to the PAR endpoint, before you make the request to the
authorizeendpoint. - Then, in the request to the
authorizeendpoint include only therequest_uri(and the required parametersclient_idandresponse_type), instead of including all the normal URL parameters.
Step 1. Perform Pushed Authorization Requests
It is important that you send the PAR request from the backend of your application. Sending the request from the frontend, or any insecure environments, exposes your client secret.
You find the PAR endpoint at https://<YOUR_SIGNICAT_DOMAIN>/auth/open/connect/par. For example, https://example.signicat.com/auth/open/connect/par.
The HTTP request would be:
POST /auth/open/connect/par HTTP/2
Host: example.signicat.com
Authorization: Basic c2FuZGJveC1zaGlueS1oYXQtMTkxOlVTSnlZMEFsRG1IZkx3cUV6SFp6a2RXZ0tCYUNwS1BNcnRybjZPcVdueERtRjZLOA==
Content-Type: application/x-www-form-urlencoded
Content-Length: 1000
client_id=<CLIENT_ID>&response_type=code&redirect_uri=<REDIRECT_URI>code&scope=openid+profile+nin&prompt=login&state=1724229949354-Dyf&nonce=1725006273399-5Ca
Note how you should include the payload with all query parameters, such as scope and prompt, in the request to the PAR endpoint.
In return, you obtain the request_uri in the response from the PAR endpoint.
Example success response:
HTTP/2 201 Created
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
{
"request_uri": "urn:ietf:params:oauth:request_uri:851358EAA07A23B315AFC00B1EAA9C34C6C4B04A2DA4B598D455CF1F62E004EB",
"expires_in": 600
}
You receive the request_uri in the response from the PAR endpoint. Use the value of the request_uri in the subsequent request to the authorize endpoint.
Note that you can combine PAR with Private Key JWT client authentication.
Step 2. OIDC Authorize request
Now, use the request_uri in your authorize request, without including the URL request parameters.
Example authorization request:
https://<YOUR SIGNICAT DOMAIN>/auth/open/connect/authorize?
&client_id=<CLIENT_ID>
&response_type=code
&request_uri=urn:ietf:params:oauth:request_uri:851358EAA07A23B315AFC00B1EAA9C34C6C4B04A2DA4B598D455CF1F62E004EB
The above are the only changes you need for using PAR. Now, you may continue your OIDC flow as normal.
To learn more about implementing OIDC flows, see the OIDC implementation documentation.