Skip to content

Implement login using Pushed Authorization Requests (PAR)

OAuth 2.0 authorization requests, typically initiated from the front-channel (e.g., a web browser), have inherent issues. These requests can sometimes be too large for browsers to handle, and there is no guarantee that an adversary won't tamper with the request before it reaches the authorization server.

The OAuth 2.0 specification introduced Pushed Authorization Requests (PAR) to mitigate these issues. Using PAR, the authorization payload will be pushed to the /par endpoint of the authorization server from the back-channel. In response, the server will return a request_uri, a one-time use identifier which acts as a reference to the payload.

You can use the request_uri instead of the authorization payload when initiating the authorization request from the front-channel.

Note

The /par endpoint inherits the client authentication rules that are defined for the /token endpoint requests, including the relevant authentication methods. Learn more about Pushed Authorization Requests.

Prerequisites

To get started, you need to have an application registered in WSO2 Identity Server. If you don't already have one, register a web app with OIDC and take note of its client ID and secret.

Get a request_uri

The request_uri functions as a reference to your authorization payload. You can receive a request_uri by invoking the following endpoint in WSO2 Identity Server.

https://localhost:9443/oauth2/par

The following example shows how you can initiate an authorization code flow using the /par endpoint.

Request format

curl --location 'https://localhost:9443/oauth2/par'
    --header 'Content-Type: application/x-www-form-urlencoded'
    --header 'accept: application/json'
    --header 'Authorization: Basic <Base64Encoded(ClientID:ClientSecret)>'
    --data-urlencode 'client_id={CLIENT_ID}'
    --data-urlencode 'redirect_uri={REDIRECT_URI}'
    --data-urlencode 'response_type=code'
    --data-urlencode 'scope=<SCOPES>'

Sample request

curl --location 'https://localhost:9443/oauth2/par'
    --header 'Content-Type: application/x-www-form-urlencoded'
    --header 'accept: application/json'
    --header 'Authorization: Basic YWRtaW46YWRtaW4='
    --data-urlencode 'client_id=DUBCMGolTZQNg6mmE9GvfQ3qfq8a'
    --data-urlencode 'redirect_uri=http://localhost:8080/playground2'
    --data-urlencode 'response_type=code'
    --data-urlencode 'scope=openid email'

You will receive a response with the request_uri and the time of expiry.

{
"expires_in": 60,
"request_uri": "urn:ietf:params:oauth:par:request_uri:a0cf571e-fe97-411a-8f33-3c01913c0e5f"
}

Note

  • WSO2 Identity Server uses the prefix, urn:ietf:params:oauth:par:request_uri: for the request_uri. The /authorize endpoint processes the request as initiated with PAR, only if the request_uri is of this format.
  • By default, the request_uri expires after 60 seconds. You can change the time of expiry (e.g. 90 seconds), by adding the following configuration to the deployment.toml file found in the <IS_HOME>/repository/conf directory. 
     [oauth.par]
 expiry_time=90

Start the authorization flow

You can use the request_uri that you received above, along with the client ID of the application to start the authorization flow using the following URL.

Request Format

https://localhost:9443/oauth2/authorize?
client_id={CLIENT_ID}&request_uri={request_uri}

Sample Request

https://localhost:9443/oauth2/authorize?
client_id=DUBCMGolTZQNg6mmE9GvfQ3qfq8a
&request_uri=urn:ietf:params:oauth:par:request_uri:a0cf571e-fe97-411a-8f33-3c01913c0e5f