Skip to main content
Version: v2.0 (latest)

Pushed Authorization Requests (PAR)

Pushed Authorization Requests complement signed requests. Instead of putting parameters in the browser-facing URL at all, your application pushes them to OIDC Web's PAR endpoint over an authenticated back channel. The endpoint returns a short-lived request_uri that is opaque and single-use. The browser is then redirected to the authorization endpoint with only that reference.

When to use it. High-security deployments, and any time you want to keep request parameters entirely out of user-visible URLs. PAR combines naturally with JAR: push a signed request object for the strongest guarantee.

Advantages.

  • The real request parameters never appear in a tamperable, user-visible URL.
  • The request_uri is single-use and bound to your client, so it cannot be replayed or reused by another party.
  • PAR is a required building block for FAPI 2.0-grade integrations.

For the implementation, see Pushed Authorization Requests (PAR) in the User Guide.