Pushed authorization requests allow clients to push the payload of an OAuth 2.0 authorization request to the authorization server via a direct request and provides them with a request URI that is used as reference to the data in a subsequent authorization request.
2. Problem Statement
● OAuth authorization code flow sends parameters as URI query parameters
via redirection in the user-agent
● Challenges
○ There is no cryptographical integrity and authenticity protection
○ There is no mechanism to ensure confidentiality of the request
parameters.
○ Authorization request URLs can become quite large, especially in
scenarios requiring fine-grained authorization data.
5. JWT Secured Authorization Request (JAR)
● Security: Allows sending authorization requests in signed and encrypted
request objects in JWT format
● Size: request_uri allows sending just a URI referring to the request object
6. Pushed Authorization Requests
● New draft https://tools.ietf.org/html/draft-lodderstedt-oauth-par-00
● Complements JAR by providing an interoperable way to push the payload of
an authorization request object directly to the AS in exchange for a
"request_uri".
● Provided via new pushed authorization request endpoint
● Accepts all parameters of the authorization endpoint and leverages token
endpoint authentication methods
● Authors: Brian Campbell, Nat Sakimura, Dave Tonge, Filip Skokan, Torsten
Lodderstedt