Pushed Authorization Requests (PAR) — Recommended
PAR (RFC 9126) keeps the request parameters out of the browser URL entirely. You push them to OIDC Web over an authenticated back channel. OIDC Web returns a short-lived, single-use request_uri to put in the redirect.
Step 1 — Push the Request
Authenticate as your client. For the strongest guarantee, combine PAR with a signed request object from JAR:
curl -s -X POST "$BASE/oidc/v1/par" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d client_id=$CLIENT_ID \
-d request=<signed_request_jwt> # or the individual parameters
Response (HTTP 201):
{
"request_uri": "urn:ietf:params:oauth:request_uri:5f3c…",
"expires_in": 600
}
Step 2 — Redirect the Browser
Use only the opaque reference:
$BASE/oidc/v1/authorize?client_id=$CLIENT_ID&request_uri=urn:ietf:params:oauth:request_uri:5f3c…
The request_uri is single-use, short-lived, and bound to your client. Another party cannot reuse or replay it. A PAR request may not contain a request_uri of its own. For signed-request (FAPI) clients, PAR enforces response_type=code, a registered redirect_uri, and PKCE S256.