Access Management 7.3.2

/oauth2/par

The /oauth2/par endpoint is the OAuth 2.0 pushed authorization request (PAR) endpoint defined in RFC 9126.

Use this endpoint to push an authorization request payload directly to the authorization server for the following flows:

Specify the realm in the request URL; for example:

https://openam.example.com:8443/openam/oauth2/realms/root/realms/alpha/par

The PAR endpoint supports the following parameters:

Parameter Description Required

acr_values

The OpenID Connect authentication context class reference values.

Yes, if required by the OpenID Connect provider

claims

The user attributes to be returned in the ID token.

No

client_assertion

A signed JSON Web Token (JWT) to use as client credentials.

Yes, for JWT profile authentication

client_assertion_type

The type of assertion, client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer.

Yes, for JWT profile authentication

client_id

Uniquely identifies the application making the request.

Yes, even when it is also included in a request object

client_secret

The password for a confidential client.

Yes, when authenticating with Form parameters (HTTP POST)

code_challenge

The code verifier generated for the PKCE flow.

Yes, for confidential clients and for all clients using the Authorization code grant with PKCE flow

code_challenge_method

The method to derive the code challenge.

Yes, when the code_challenge is hashed (recommended)

csrf

The SSO token string linking the request to the user session to protect against Cross-Site Request Forgery attacks.

Yes, when gathering consent without a remote consent service

decision

Specifies whether the resource owner consents to the requested access.

Yes, when gathering consent unless consent is already saved for the scope

id_token_hint

Previously issued ID token previously passed as a hint about the end user’s session with the client.

No

login_hint

String value that can be set to the ID the user uses to log in.

No

nonce

String value that associates the client session with the ID token.

No

prompt

Specifies whether to prompt the end user for authentication and consent.

No

redirect_uri

The URI to return the resource owner to after authorization is complete.

No

request

A base64url-encoded JWT with the claims required for PAR validation.(1)

Yes

response_mode

Specifies the mechanism for returning response parameters.

No

response_type

The type of response expected from the authorization server.

Yes

save_consent

Specifies whether to store a resource owner’s consented scopes.

No

scope

The scopes linked to the permissions requested by the client from the resource owner.

No

service

The authentication journey to use when authenticating the resource owner.

No

state

The value to maintain state between the request and the callback.

No, but strongly recommended

ui_locales

The end user’s preferred languages for the user interface.

No

(1) When you use a request object, define all the request parameters as claims in the JWT. Use only the following client authentication parameters alongside the request:

client_assertion
client_assertion_type
client_id
client_secret

Otherwise, the response is an Invalid parameter scope error.

The following is an example of a PAR request object:

{
  "client_id": "myClient",
  "nbf": 1594140030,
  "redirect_uri": "https://www.example.com:8443",
  "scope" : "write",
  "exp": 1594140390,
  "response_type" : "code",
  "code_challenge" :  "QR1D-7w1-rOQvlFe1CeqZigqaIpmZXatDMVvZ50o",
  "code_challenge_method" : "S256"
}