Skip to main content

OAuth 2.0 Pushed Authorization Requests
draft-ietf-oauth-par-10

Approval announcement
Draft of message to be sent after approval:

Announcement

From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Cc: The IESG <iesg@ietf.org>, draft-ietf-oauth-par@ietf.org, hannes.tschofenig@arm.com, oauth-chairs@ietf.org, oauth@ietf.org, rdd@cert.org, rfc-editor@rfc-editor.org
Subject: Protocol Action: 'OAuth 2.0 Pushed Authorization Requests' to Proposed Standard (draft-ietf-oauth-par-10.txt)

The IESG has approved the following document:
- 'OAuth 2.0 Pushed Authorization Requests'
  (draft-ietf-oauth-par-10.txt) as Proposed Standard

This document is the product of the Web Authorization Protocol Working Group.

The IESG contact persons are Benjamin Kaduk and Roman Danyliw.

A URL of this Internet Draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-par/


Ballot Text

Technical Summary

   This document defines the pushed authorization request endpoint,
   which allows clients to push the payload of an OAuth 2.0
   authorization request to the authorization server via a direct
   request and provides them with a request URI that is used as
   reference to the data in a subsequent call to the authorization
   endpoint.

Working Group Summary

  The document changes the way to interact with the authorization 
  request endpoint. The use of this work is envisioned within the 
  finance sector.  

Document Quality

Based on feedback provided by participants of the OAuth working group
the following implementations of PAR are available:

Open source framework implementing PAR (with optional JWSREQ) in Golang:
https://github.com/zntrio/solid

Authlete supports PAR and has passed the PAR test cases in the OpenID
conformance suite. Documents mentioning Authlete's PAR support are here:
https://www.authlete.com/news/20210204_authlete_2_2/
https://www.authlete.com/developers/relnotes/2.2/

The Node.js open source openid-client project:
https://github.com/panva/node-openid-client

Glewlwyd 2.5.2 supports PAR:
https://github.com/babelouest/glewlwyd

PAR is supported by the Connect2id server and the the open source OAuth 2.0 / OIDC SDK, 
which has also been picked up by some downstream security frameworks and projects:
https://connect2id.com/blog/pushed-authorisation-request-in-oauth-sdk

The Yes Signing Flow is based on PAR and therefore implemented by our banks (> 1000).
A python client for the yes signing flow is publicly available that uses PAR: 
https://github.com/yescom/pyyes	

Authress supports PAR.

The Node.js open source oidc-provider project implements PAR behind a feature flag:
https://github.com/panva/node-oidc-provider

The open source project "Loginbuddy" implements PAR and the functionality is 
documented here: 
https://github.com/SaschaZeGerman/loginbuddy/wiki/Protocols-and-APIs

PingFederate has officially released PAR, see
https://docs.pingidentity.com/bundle/pingfederate-102/page/qem1584122852896.html

Finally, ForgeRock plans to implement PAR.

Personnel

Hannes Tschofenig is the document shepherd 

Roman Danyliw is the the responsible area director


RFC Editor Note