Pushed Authorization Request (PAR) Endpoint
Overview
The Pushed Authorization Request (PAR) Endpoint allows clients to securely push authorization request parameters directly to the Identity Provider (IdP) via a backchannel POST request.
Instead of sending all authorization parameters in the front-channel (via the browser), the client sends them to the IdP in advance. The IdP returns a short-lived request_uri reference. The client then uses this request_uri in the front-channel redirect to the Authorization Endpoint.
This improves security (no long query strings, prevents tampering) and reliability (handles large requests). The use of PAR is encouraged by the FAPI working group within the OpenID Foundation. For example, the FAPI2.0 Security Profile requires the use of PAR. This security profile is used by many of the groups working on open banking (primarily in Europe), in health care, and in other industries with high security requirements.
Endpoint
The endpoint is advertised in the pushed_authorization_request_endpoint in the metadata exposed by the discovery endpoint and typically is:
POST https://[BASE_URL]/connect/par
Parameters (form-encoded)
All parameters normally passed to the Authorization Endpoint (response_type, client_id, redirect_uri, scope, state, nonce, etc.) must be included in the PAR request.
| Parameter | Required | Description |
|---|---|---|
response_type |
Yes | Defines the flow (code, id_token, etc.). |
client_id |
Yes | The client identifier registered with the IdP. |
redirect_uri |
Yes | Must match a registered redirect URI. |
scope |
Yes | Scopes requested (openid required for OIDC). |
state |
Recommended | Opaque value for request correlation/CSRF protection. |
nonce |
Required for id_token requests |
Protects against replay attacks. |
Full documentation of all authorization parameters can be found here.
Authentication
- Confidential clients authenticate (e.g., HTTP Basic Auth or private_key_jwt).
- Public clients may use PKCE (Proof Key for Code Exchange).
Response
A successful response returns JSON with a request_uri and its lifetime (expires_in):
{
"request_uri": "urn:ietf:params:oauth:request_uri:1a2b3c4d",
"expires_in": 90
}Usage Flow
- Push Authorization Request:
POST /par
Content-Type: application/x-www-form-urlencoded
Authorization: Basic base64(client_id:client_secret)
response_type=code& client_id=my-client-id&
redirect_uri=https%3A%2F%2Frp.example.com%2Fcallback&
scope=openid%20profile&
state=xyz123&
nonce=abc987-
Receive
request_uri:
The IdP returns a short-livedrequest_uri. -
Redirect User to Authorization Endpoint:
Instead of passing full parameters, the RP redirects the user with only:
https://[BASE_URL]/connect/authorize?client_id=my-client-id&request_uri=urn:ietf:params:oauth:request_uri:1a2b3c4d
- IdP Resolves Request:
The IdP looks up the pushed request parameters, authenticates the user, and continues the flow as normal.
Security Considerations
- Prevents exposure of sensitive parameters in browser history, logs, or query strings.
- Ensures integrity of the authorization request (cannot be modified in transit).
- Short-lived
request_urivalues mitigate replay attacks. - Clients should never log or store
request_urivalues beyond their lifetime.
Related Endpoints
- Authorization Endpoint – Consumes the
request_uri. - Token Endpoint – Exchanges the code obtained after authorization.