Question
When making a Pushed Authorization Request (PAR), how can this issue be resolved:
- Client makes PAR request using request object including
redirect_uri
- Client gets back a
request_uri
- Client makes an authorisation request using
request_uri
. Client also includesclient_Id
and scope parameters in the request. Client DOES NOT includeredirect_uri
as a parameter, as it was included in the original request object. - Authorization server is rejecting the authorization request as
redirect_uri
is not present in the authorisation request.
Our interpretation is that since redirect_uri
was supplied in the request object, it is not required to be sent again in the authorisation request. This is also in line with the IETF PAR documentation.
Answer
Your interpretation is correct. If the client lodges the authorisation request using PAR, the authorisation server should honour this and not return an error. The problem you are encountering indicates the authorisation server is not compliant with the PAR standard.
Section 5.2.2 of FAPI-R requires that the redirect_uri
must be provided in the authorisation request. If the client is using PAR, then the client has pre-staged the authorisation request. If the client does not use PAR, then the redirect_uri
must be present in the request object sent by value to the /authorise
endpoint.
9. shall require the
redirect_uri
parameter in the authorization request;10. shall require the value of
redirect_uri
to exactly match one of the pre-registered redirect URIs;
The redirect_uri
should not be sent outside of a request object per the CDS spec. This is further clarified in more recent drafts of FAPI Part 2 advanced profile, section 5.2.2 and 5.2.5.
See:
Comments
0 comments
Please sign in to leave a comment.