Documentation

How to Use Pushed Authorisation Request (PAR) Endpoint

Suggest Edits
💡
Connect to a Banking Provider using Pushed Authorisation Requests
Open Recipe

The Pushed Authorisation Request (PAR) are now the preferred way of initiating a connection and a payment with Moneyhub, this endpoint is used to securely send a signed authorisation request in JWT format. The request is compact and contains all the necessary parameters for initiating the OIDC authentication process. Using this endpoint helps clients avoid sending sensitive information in plaintext and reduces the risk of parameter tampering. From a high level, the information required for an authorisation request is pushed directly to our identity service, and in return, you get a request URI. This value is used to reference the request information provided. (See the above recipe for PAR in action)

📘

If you wish to use Pushed Authorisation Requests, we recommend that you set the Request Object Signing algorithm to none in the Admin Portal.

The security that is gained from PAR means the request object signing isn't required. If request object signing is turned on, you will have to send a signed request object to the PAR end point.

Steps to Use the PAR Endpoint

1. Prepare the authorisation Request

There are two ways to prepare the authorisation request (more docs):

Option 1: Use the request Parameter (Signed JWT)

  • If you want to use the request parameter, you need to construct a signed JWT that includes all the necessary authorisation parameters. This JWT will be sent to the /oidc/request endpoint. The JWT ensures the integrity and security of the request. More info here

    Example of sending the signed JWT (request) parameter:

  • When using the signed JWT (request parameter), ensure that the JWT contains the necessary fields, including client_assertion_type and client_assertion`.

curl --location 'https://identity-dev.moneyhub.co.uk/oidc/request' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'request=YOUR_JWT_REQUEST' \
--data-urlencode 'client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer' \
--data-urlencode 'client_assertion=YOUR_CLIENT_ASSERTION_JWT'

Option 2: Send Parameters Separately

If you do not want to use the signed JWT (request parameter), you can send the authorisation parameters directly in the body of the POST /oidc/request request or as query parameters in the GET /oidc/auth request.

Check the parameters here

Example of sending parameters separately in POST /oidc/request:

curl -X POST "https://identity.moneyhub.co.uk/oidc/request" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "client_id=67e5c1ce-1a3b-4ca8-a2d8-49ab822dbc24" \
  -d "scope=openid id:1ffe704d39629a929c8e293880fb449a" \
  -d "redirect_uri=http://localhost:3001" \
  -d "response_type=code" \
  -d "state=xyz123" \
  -d "nonce=abc456" \
  -d "claims={\"id_token\":{\"email\":\"true\",\"given_name\":\"true\"}}"

You can choose either approach depending on your use case: either send all parameters in a secure, signed JWT or send them separately in the request body or query string.

2. Add to the request the required authentication that you would use for the token endpoint.

(See Authentication)

3. Send the Request

Once you've prepared your request (whether using the signed JWT in the request parameter or sending parameters separately), you will send this data to the https://identity.moneyhub.co.uk/oidc/request endpoint. This endpoint is where your authorisation request will be processed.

Option 1: Using the request Parameter (Signed JWT)

If you are using the signed JWT (request parameter), you would send the JWT in the body of a POST request to the /oidc/request endpoint. The server will validate the signed JWT, check for the required parameters, and, if everything is correct, it will respond with a request_uri that can be used to initiate the authentication process via the /oidc/auth endpoint.

Option 2: Sending Parameters Separately

If you're sending the parameters separately (without the signed JWT), the parameters will be sent directly in the body of the POST /oidc/request request or as query parameters in the GET /oidc/auth request. The server will process the request, check for required parameters, and return a request_uri as part of the response.

4. Receive the request_uri:

  • Upon successful validation of the signed JWT, the server will respond with a request_uri and an expiration time (expires_in).

Example of the response:

{
  "request_uri": "urn:ietf:params:oauth:request_uri:XqjKQPKBho2762E3_v1og",
  "expires_in": 60
}

5. Create the authorisation URL

Create the authorisation URL in the format: https://identity.moneyhub.co.uk/oidc/auth?request_uri=<request_uri>

Updated 18 days ago