Documentation

How to Use Pushed Authorization Request (PAR) Endpoint

Suggest Edits

The Pushed Authorization Request (PAR) endpoint is used to securely send a signed authorization request in JWT format. The request is compact and contains all the necessary parameters for initiating the OIDC authentication process. Using this endpoint helps clients avoid sending sensitive information in plaintext and reduces the risk of parameter tampering.

Steps to Use the PAR Endpoint

1. Prepare the Authorization Request

There are two ways to prepare the authorization request:

Option 1: Use the request Parameter (Signed JWT)

  • If you want to use the request parameter, you need to construct a signed JWT that includes all the necessary authorization parameters. This JWT will be sent to the /oidc/request endpoint. The JWT ensures the integrity and security of the request. More info here

    Example of sending the signed JWT (request) parameter:

  • When using the signed JWT (request parameter), ensure that the JWT contains the necessary fields, including client_assertion_type and client_assertion`.

curl --location 'https://identity-dev.moneyhub.co.uk/oidc/request' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'request=YOUR_JWT_REQUEST' \
--data-urlencode 'client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer' \
--data-urlencode 'client_assertion=YOUR_CLIENT_ASSERTION_JWT'

Option 2: Send Parameters Separately

If you do not want to use the signed JWT (request parameter), you can send the authorization parameters directly in the body of the POST /oidc/request request or as query parameters in the GET /oidc/auth request.

Check the parameters here

Example of sending parameters separately in POST /oidc/request:

curl -X POST "https://identity.moneyhub.co.uk/oidc/request" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "client_id=67e5c1ce-1a3b-4ca8-a2d8-49ab822dbc24" \
  -d "scope=openid id:1ffe704d39629a929c8e293880fb449a" \
  -d "redirect_uri=http://localhost:3001" \
  -d "response_type=code" \
  -d "state=xyz123" \
  -d "nonce=abc456" \
  -d "claims={\"id_token\":{\"email\":\"true\",\"given_name\":\"true\"}}"

You can choose either approach depending on your use case: either send all parameters in a secure, signed JWT or send them separately in the request body or query string.

2. Send the Request to the /oidc/request Endpoint

Once you've prepared your request (whether using the signed JWT in the request parameter or sending parameters separately), you will send this data to the /oidc/request endpoint. This endpoint is where your authorization request will be processed.

Option 1: Using the request Parameter (Signed JWT)

If you are using the signed JWT (request parameter), you would send the JWT in the body of a POST request to the /oidc/request endpoint. The server will validate the signed JWT, check for the required parameters, and, if everything is correct, it will respond with a request_uri that can be used to initiate the authentication process via the /oidc/auth endpoint.

Option 2: Sending Parameters Separately

If you're sending the parameters separately (without the signed JWT), the parameters will be sent directly in the body of the POST /oidc/request request or as query parameters in the GET /oidc/auth request. The server will process the request, check for required parameters, and return a request_uri as part of the response.

3. Receive the request_uri:

  • Upon successful validation of the signed JWT, the server will respond with a request_uri and an expiration time (expires_in).

Example of the response:

{
  "request_uri": "urn:ietf:params:oauth:request_uri:XqjKQPKBho2762E3_v1og",
  "expires_in": 60
}

Updated 1 day ago