This is version 1 2 3 4 5 . It is not the current version, and thus it cannot be edited.

Back to current versionRestore this version

Overview#

Pushed Authorization Requests is defined in RFC 9126 and defines the Pushed Authorization Requests (PAR) endpoint, which allows OAuth Clients to push the payload of an OAuth 2.0 Authorization Request to the Authorization Server via a direct request and provides them with a request URI that is used as reference to the data in a subsequent call to the Authorization_endpoint.

In OAuth 2.0 RFC 6749, Authorization Request parameters are typically sent as URI query parameters via redirection in the user agent.

JWT-Secured Authorization Request (JAR) RFC 9101 provides solutions for the security challenges by allowing OAuth Clients to wrap Authorization Request parameters in a Request Object, which is a signed and optionally encrypted JSON Web Token (JWT) RFC 7519. In order to cope with the size restrictions, JAR introduces the request_uri parameter that allows OAuth Clients to send a reference to a Request Object instead of the Request Object itself.

Pushed Authorization Requests complements JAR by providing an interoperable way to push the payload of an Authorization Request directly to the Authorization Server in exchange for a Request_uri value usable at the Authorization Server in a subsequent Authorization Request.

More Information#

There might be more information for this subject on one of the following:

• Mix-up attacks
• PAR
• RFC 9126