Question

When making a Pushed Authorization Request (PAR), how can this issue be resolved:

• Client makes PAR request using request object including redirect_uri
• Client gets back a request_uri
• Client makes an authorisation request using request_uri. Client also includes client_Id and scope parameters in the request. Client DOES NOT include redirect_uri as a parameter, as it was included in the original request object.
• Authorization server is rejecting the authorization request as redirect_uri is not present in the authorisation request.

Our interpretation is that since redirect_uri was supplied in the request object, it is not required to be sent again in the authorisation request. This is also in line with the IETF PAR documentation.

Answer

Your interpretation is correct. If the client lodges the authorisation request using PAR, the authorisation server should honour this and not return an error. The problem you are encountering indicates the authorisation server is not compliant with the PAR standard. 

Section 5.2.2 of FAPI-R requires that the redirect_uri must be provided in the authorisation request. If the client is using PAR, then the client has pre-staged the authorisation request. If the client does not use PAR, then the redirect_uri must be present in the request object sent by value to the /authorise endpoint.

9. shall require the redirect_uri parameter in the authorization request;

10. shall require the value of redirect_uri to exactly match one of the pre-registered redirect URIs;

The redirect_uri should not be sent outside of a request object per the CDS spec. This is further clarified in more recent drafts of FAPI Part 2 advanced profile, section 5.2.2 and 5.2.5.

See:

• OAuth 2.0 Pushed Authorization Requests.