Try Pushed Authorization Requests (PAR) in Asgardeo
In conventional authorization requests, we generally send the request through the front-channel. Thus, all the request attributes that need to be sent will be sent directly through the web browser. In contrast, in pushed authorization requests, we push the payload of the authorization request directly to the authorization server, and we get a reference to that, called a request_uri, in return. So in the subsequent authorization request we can use this request_uri to get the relevant payload. All the client authentication rules of the token endpoint apply to the PAR endpoint as well.
Some of the many advantages of PAR over traditional authorization requests are:
- Enhanced Security: Integrity and authenticity of authorization requests ensured by preventing modifications to parameters.
- Confidentiality Assurance: Safeguards request parameter confidentiality, preventing inadvertent data exposure in query strings to web server logs and other sites.
- Optimized Request Size: Mitigates potential issues arising from large request sizes, ensuring smoother request processing.
Let’s look at the PAR flow.
1. The client makes a POST request to the `/par` endpoint comprising all the parameters required for authorization.
curl --location 'https://api.asgardeo.io/t/{organization_name}/oauth2/par' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'accept: application/json' \
--header 'Authorization: Basic -u {CLIENT_ID}:{CLIENT_SECRET}' \
--data-urlencode 'client_id={CLIENT_ID}'\
--data-urlencode 'redirect_uri={REDIRECT_URI}' \
--data-urlencode 'response_type=code' \
--data-urlencode 'scope=<SCOPES>'2. The client is authenticated by the authorization server.
3. The pushed authorization request is validated.
4. If the validation is successful, the endpoint returns a response containing the request_uri.
5. The client makes an authorization request containing the client_id and the request_uri to the authorization endpoint.
https://api.asgardeo.io/t/{organization_name}/oauth2/authorize?
client_id={CLIENT_ID}&request_uri={request_uri}6. The authorization request is validated.
7. If the validation is successful, the client receives the authorization code (or the access token based on the chosen grant type).
Now let’s try this in Asgardeo.
Before you begin, create an application in Asgardeo. Note the client id of the application.
It’s time to get a request uri. Initiate a POST request to the endpoint https://api.asgardeo.io/t/{organization_name}/oauth2/par passing all the usual authorization request parameters in the request body.
curl --location 'https://api.asgardeo.io/t/yoshani/oauth2/par' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'accept: application/json' \
--header 'Authorization: Basic -u YWRtaW46YWRtaW4=' \
--data-urlencode 'client_id=DUBCMGolTZQNg6mmE9GvfQ3qfq8a' \
--data-urlencode 'redirect_uri=http://localhost:8080/playground2' \
--data-urlencode 'response_type=code' \
--data-urlencode 'scope=openid email'You will receive a response containing the request_uri and an expiry time. The request_uri expires in 1 minute.
{
"expires_in": 60,
"request_uri": "urn:ietf:params:oauth:par:request_uri:a0cf571e-fe97-411a-8f33-3c01913c0e5f"
}Now, you just have to use this request_uri instead of all the other authorization request parameters in the authorization request. The only additional parameter you should send is the client id.
https://api.asgardeo.io/t/yoshani/oauth2/authorize?
client_id=DUBCMGolTZQNg6mmE9GvfQ3qfq8a
&request_uri=urn:ietf:params:oauth:par:request_uri:a0cf571e-fe97-411a-8f33-3c01913c0e5fAt the backend, the request parameters that are referenced by the request_uri will be fetched, and the normal authorization flow will continue.
You have successfully tried authorization using pushed authorization requests. For more details about the concept, visit the specification.
References
[1] https://wso2.com/asgardeo/docs/references/pushed-authorization-requests
[2] https://wso2.com/asgardeo/docs/guides/authentication/oidc/implement-login-with-par
