Pushed Authorization Request (PAR)
Pushed Authorization Requests (PAR) is an OAuth 2.0 extension that allows clients to send the full authorization request directly to the authorization server via a secure back channel, using an HTTP POST to a dedicated PAR endpoint.
This approach avoids putting sensitive parameters in the browser URL—reducing the risk of tampering, interception, or hitting URL length limits.
After receiving the pushed request, the authorization server returns a short,
opaque request_uri (or request identifier) that references the stored
parameters. The client then redirects the user’s browser to the authorization
endpoint, including only the client_id and request_uri. The server uses the
request_uri to retrieve and validate the original request before continuing with
the flow.
How PAR Works
-
Client POSTs request to the
/parendpoint.The client sends a complete authorization request payload (client ID, scopes, redirect URI, nonce, state, PKCE info, etc.) directly to the
/parendpoint on the authorization server. -
Authorization server validates and stores the request.
The authorization server can authenticate the client and validates the authorization request parameters. If valid, it stores the request securely and returns a
request_uri. -
Client redirects user with
request_uri.Instead of sending full parameters in the redirect URL, the client redirects the user’s browser to the authorization endpoint (
/authorize) with only the client ID andrequest_uri. -
Authorization server completes authorization.
Upon receiving the redirect request with the
request_uri, the server retrieves the original parameters and continues the OAuth flow, ultimately issuing authorization codes and, later on, tokens.
Benefits of PAR
-
Improved Security: Authorization parameters, which can contain sensitive information, are not exposed in the browser URL, preventing interception or tampering by malicious scripts, browser extensions, or network observers.
-
Request Integrity: Since the authorization server validates parameters upfront and stores them securely, it guarantees their integrity during the authorization flow.
-
Avoids URL Length Limits: Complex or large authorization requests that might exceed browser URL length restrictions can be safely handled.
-
Protects Privacy: Query strings with sensitive details are not leaked to third parties via referrer headers or server logs.
-
Early Client Authentication: The server authenticates the client when it pushes the authorization request, enabling early detection of invalid or unauthorized clients.
PAR: Summary Table
| Aspect | Description |
|---|---|
| What it is | OAuth 2.0 extension to push authorization requests backend |
| Main mechanism | POST auth request params to /par endpoint → get request_uri |
| User browser redirect | Includes only client_id and request_uri, not full params |
| Security improvements | Prevents interception, tampering, and URL length issues |
| Authorization server role | Validates and stores full request before user interaction |
| Common use | Financial-grade APIs, high-security OAuth/OIDC flows |
In essence, PAR makes OAuth authorization flows more secure and reliable by using a backchannel mechanism for transmitting authorization parameters rather than embedding them in frontchannel redirects.
