IdentityServer Implement PAR

track https://tools.ietf.org/html/draft-ietf-oauth-par-04

Dec 11 '20 15:12 leastprivilege

Hi! From the presentation "OAuth 2.1" and beyond (as always a great presentation!), I got the impression that PAR was ready to use (even though it still is a draft), but now I realized that it is a planned feature. What are the plans for PAR?

Feb 03 '21 10:02 TobiasAhnoff

As soon as the spec is finalized, we will add it.

Feb 03 '21 18:02 leastprivilege

Looking forward to that, thank you!

Feb 03 '21 20:02 TobiasAhnoff

Really looking forward to this :)

Apr 22 '21 11:04 bigheadedmonster

As part of this, we think it will be necessary to pass the full validated request to the redirect uri validator.

Sep 28 '21 14:09 brockallen

Getting access to the full validated request in the uri validator would be a welcome addition on its own :)

Sep 28 '21 14:09 bigheadedmonster

Some internal notes I jotted down:

1: validate on PAR endpoint (refactor from authZ validator) 2: bypass validation for valid PAR request URI on authZ EP 3: allow client to have per-request redirect_uri (only for confidential clients, JAR). maybe this means we add which params are validated to the request object, and then pass that along to the URI validator.

Oct 20 '22 16:10 brockallen

🥳

Oct 20 '22 19:10 bigheadedmonster

Any comments on a more precise date for the PAR feature for identity server? :)

Feb 06 '23 09:02 bigheadedmonster

We postpone PAR in favour of DPoP.

DPoP will come in the next version, PAR the version after that.

Feb 06 '23 11:02 leastprivilege

related: https://github.com/DuendeSoftware/IdentityServer/issues/983

May 30 '23 21:05 brockallen