(available since v1.2.0)
The :oauth_pushed_authorization_request plugin allows for the payload of an OAuth 2.0 authorization request to the authorization server to be “pushed” via a direct request and provides them with a request URI that is used as reference to the data in a subsequent call to the authorization endpoint.
Client applications who want more confidentiality of the parameters for the authorization request, and to authenticate the client before any user interaction happens.
plugin :rodauth do
enable :oauth_authorization_code_grant, :oauth_pushed_authorization_request
end
Pushed authorization requests are bound to a client application, and are stored in its own database table, identified by the oauth_pushed_authorization_requests_table auth method (default: :oauth_pushed_requests). They contain the following attributes:
oauth_pushed_authorization_requests_oauth_application_id_column:oauth_application_idThe client application that generated the PAR.
oauth_pushed_authorization_requests_code_column:codeThe code by which the pushed authorization request is identified in the authorization request.
oauth_pushed_authorization_requests_expires_in_column:expires_inTimestamp after which the pushed authorization request is no longer valid.
oauth_pushed_authorization_requests_params_column:paramsThe authorization request params (redirect uri, response mode, etc…) of the pushed authorization request, encoded in the URI-encoded format.
The /par endpoint requires client authorization.
The /par endpoint accepts, per RFC, the same parameters as the authorization request endpoint, with the exception of request_uri.
The also includes receiving the parameter in a request parameter like the one defined for JWT-Secured Authorization Requests.
When successful, the response serves the following parameters in the JSON response:
request_uri: the request uri that shall be used when calling the Authorization request endpoint;expires_in: the number of seconds the request uri above has to be used;The Authorization request is then able to accept the request_uri as a query parameter, along with the respective client_id.
In order to require pushed authorization requests for a given client, the client application can set the value of the oauth_applications_require_pushed_authorization_requests_column column to true.