Overview#FAPI Pushed Request Object is a draft by the OpenID Foundation as part of the Financial API
- the request parameter may carry the request data in a JWT
- the request_uri parameter carries a URI referring to a place where the AS may retrieve the request object.
The Request_uri additionally allows the client to just send the URI value in the Authorization Request as a pointer to the request object, rather than the full content of the request object itself, which allows for the transfer of larger amounts of request data without issues caused by URI length restrictions.
However, the Request_uri mechanisms also has some downsides. The client needs to maintain and expose request objects. This might look easy on first sight, but the client needs to be able to handle inbound requests from the Authorization Server and, potentially, store a large number of objects in its database including the need to properly clean them up.
Moreover, in order to dereference the Authorization Request Parameter the authorization has to make outbound HTTP requests, which brings with it all the potential problems of server-side request forgery.
FAPI Pushed Request Object specification addresses these problems by moving the responsibility for managing request objects from the client to the Authorization Server. The Authorization Server offers an additional "request object endpoint". The client calls this endpoint to deliver its request objects and is provided with a unique URI for that particular request object, which in turn is sent into to the Authorization Server's Authorization_endpoint as the value of the request_uri parameter.