Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

proposal: x/oauth2: support pushed authorization requests (PAR) #65956

Open
theadell opened this issue Feb 27, 2024 · 0 comments
Open

proposal: x/oauth2: support pushed authorization requests (PAR) #65956

theadell opened this issue Feb 27, 2024 · 0 comments
Labels
Proposal
Milestone
Proposal

Comments

@theadell
Copy link

theadell commented Feb 27, 2024
edited

Feature request golang/oauth2#653

We propose adding support to PAR (RFC 9126).

Motivation: PAR uses HTTP POST to directly send the authorization request parameters to the authorization server instead of being sent as URI query parameters via redirection in the user agent. This change would make it easier to write more secure OAuth clients by adding confidentiality and integrity to the authorization requests, reducing exposure to tampering and data leakage, and addressing the limitations of URL lengths that can prevent complex requests as when using JWT-Secured Authorization Request (JAR) or requests with fine-grained authorization.

PAR is already supported by many IAM solutions such as Okta, Auth0, Curity, Identity Server, and Keycloak

Proposed API:

// PushAuthRequest sends a back-channel authorization request to the PAR endpoint and returns a URL
// to OAuth 2.0 provider's consent page which contains a reference to the request made.
//
// The state parameter is used to prevent CSRF attacks. opts may include any authorization
// request parameters as defined in RFC 6749, or any extension like PKCE (RFC 7636) or JAR (RFC 9101).
//
// Recommended to use over AuthCodeURL when the authorization server supports it.
// See https://datatracker.ietf.org/doc/html/rfc9126
func (c *Config) PushAuthRequest(ctx context.Context, state string, opts ...AuthCodeOption) (string, error)

Additionally, we update the Endpoint struct to include a PARURL field

type Endpoint struct {
    AuthURL       string
    DeviceAuthURL string
    TokenURL      string
    PARURL        string // New field for the PAR endpoint URL

    AuthStyle AuthStyle
}

Prototype implementation: https://go-review.googlesource.com/c/oauth2/+/567315
@gopherbot gopherbot added this to the Proposal milestone Feb 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Proposal
Projects
Proposals
Status: Incoming
Milestone
Proposal
Development

No branches or pull requests
2 participants
@gopherbot @theadell