--- title: Pushed authorization requests endpoint description: The PingFederate authorization server (AS) can provide a pushed authorization requests (PAR) endpoint /as/par.oauth2. OAuth 2.0 clients can use the PAR endpoint to securely initiate authorization flows. component: pingfederate version: 13.0 page_id: pingfederate:developers_reference_guide:pf_pushed_authoriz_request_endpoint canonical_url: https://docs.pingidentity.com/pingfederate/13.0/developers_reference_guide/pf_pushed_authoriz_request_endpoint.html revdate: June 19, 2023 --- # Pushed authorization requests endpoint The PingFederate authorization server (AS) can provide a pushed authorization requests (PAR) endpoint `/as/par.oauth2`. OAuth 2.0 clients can use the PAR endpoint to securely *initiate* authorization flows. When the PAR endpoint is enabled, a client can push an authorization request payload to the AS with a direct back-channel request. This is a more secure method of sending sensitive data, such as personally identifiable information, than sending it with a browser on the front channel. The payload contains parameters that are application/x-www-form-urlencoded formatted. The PAR endpoint can accept all parameters that usually comprise an authorization request and any additional parameters needed for client authentication. It also can accept signed requests. | | | | - | --------------------------------------------------- | | | The PAR endpoint only accepts the HTTP POST method. | After the AS validates the request and saves the payload, it returns the `request_uri` parameter to serve as a reference to the payload. The response also indicates the lifetime of the request URI. The default lifetime is 60 seconds. Sample request for a request\_uri to the PAR endpoint ``` POST /as/par.oauth2 HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0Mzo3RmpmcDBaQnIxS3REUmJuZlZkbUl3 response_type=code &client_id=s6BhdRkqt3 &state=af0ifjsldkj &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb ``` Sample response with a request\_uri from the PAR endpoint ``` HTTP/1.1 201 Created Cache-Control: no-cache, no-store Content-Type: application/json { "expires_in": 60, "request_uri": "urn:example:bwc4JK-ESC0w8acc191e-Y1LTC2" } ``` Subsequently, the client uses the front channel to request an authorization code or token, sending the `request_uri` parameter to the AS authorization endpoint. The AS uses the request URI to look up the request payload and continue the authorization flow as usual. The AS accepts a particular request URI only once. Sample request for an authorization code or token to the authorization endpoint ``` GET /as/authorization.oauth2?client_id=s6BhdRkqt3 &request_uri=urn%3Aexample%3Abwc4JK-ESC0w8acc191e-Y1LTC2 HTTP/1.1 Host: as.example.com ``` To let OAuth clients use the PAR endpoint, you must enable PAR on the AS. Additionally, you can configure individual clients so that they must use the PAR endpoint to initiate authorization flows. For more information about PAR settings, see [Configuring authorization server settings](../administrators_reference_guide/help_authorizationserversettingstasklet_oauthauthorizationserversettingsstate.html) and [Configuring OAuth clients](../administrators_reference_guide/pf_configuring_oauth_clients.html). When PAR is enabled on the AS, the well-known endpoint `/.well-known/openid-configuration` includes these PAR parameters in responses: * `pushed_authorization_request_endpoint` contains the PAR endpoint * `require_pushed_authorization_requests` indicates whether the AS requires clients to use PAR PingFederate can decrypt encrypted request objects, which are described in the .net/specs/openid-connect-core-1\_0.html//\[OpenID Connect 1.0 specification]. Request objects with asymmetric encryption must be encrypted using the public keys that PingFederate exposes at `/pf/JWKS`. Request objects with symmetric encryption need a key derived from the client's configured client secret and the client secret must be stored in a reversible format with, for example, symmetric encrypted ID tokens or hash-based message authentication code (HMAC) ID tokens. You can configure PingFederate to accept only request objects that are encrypted by enabling the `front-channel-encryption-required` setting in `jwt-request-object-options.xml`. You can use parameters from PAR payloads in authentication policies. The policies can reference them like other [tracked HTTP request parameters](../administrators_reference_guide/qmq1564002987890.html). Make PAR parameters available to policies by adding them to the **Policies** window's **Tracked HTTP Parameters** tab. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | When the name of a request parameter from the subsequent authorization request matches the name from the initial PAR request parameter, then the value from the PAR request parameter takes precedence. | For more information about the PAR protocol, see [OAuth 2.0 Pushed Authorization Requests](https://datatracker.ietf.org/doc/html/rfc9126) on the IETF website.