PAR Endpoint

The PAR endpoint enables support for pushed authorization requests (PAR) to enhance the security and privacy of the exchange between the client application and HID Authentication Service. Instead of exposing the client's parameters of an authorization request in the URL query string, the parameters are posted to the HID Authentication Service using a backchannel.

HID Authentication Service checks the parameters and generates a request URI to represent the request object if they are valid. This URI then serves as a reference for the request in a subsequent calls to the Authentication endpoint.

For further information about PAR, see the specifications OAuth 2.0 Pushed Authorization Requests

https://[base-server-url]/{tenant}/authn/par [POST]

PAR in the Authentication Flow

Once the request_uri is returned by PAR endpoint, it can be sent to the Authentication endpoint as a parameter to continue with the authentication process.

https://[base-server-url]/{tenant}/authn/login?request_uri=urn:hid:43d5b009-7b52-4d6f-a8a9-0d8de27968f9&client_id=spl-api&response_type=code&scope=openid+profile

HID Authentication Service redirects the user to the relevant login page.

If the authentication is successful, the authorization code is sent to the redirect_uri of the OpenID client.

http://localhost/?code=22454157&context=LEVEL_OF_ASSURANCE%3A1%3Afalse+PARAMETER_AUTHENTICATION_TYPE_CODE%3AAT_CUSTPW%3Afalse+&state=VzRP4nD6iKCKPuRi

The client application then uses the code to get the access token from the Token endpoint.

POST https://[base-server-url]/{tenant}/authn/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Authorization: Bearer RTp7HwAAAXsWTg+2HVgFnmEk5+RSlbfMN57kn1zG
Content-Length: 120
Host: <hostname>
User-Agent: Apache-HttpClient/4.5.2 (Java/1.8.0_291)
 
code=22454157&client_id=spl-api&redirect_uri=http%3A%2F%2Flocalhost&scope=openid%20profile&grant_type=authorization_code

HTTP/1.1 200 OK
 
{
    "access_token": "hamFwQAAAXsWTYUr2beCbVgEtLkrUPDmpcCWJ9FG",
    "id_token": "eyJraWQiOiIxNjI4MDk5NTkxMDI4IiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYifQ.eyJhdF9oYXNoIjoiWW8xRlRvRmwyV3ktTGtSUUdoUEhlQSIsInN1YiI6InNwbC1jdXN0MDEiLCJhdWQiOiJzcGwtYXBpIiwiYWNyIjoiMSIsImF1dGhfdGltZSI6MTYyODE2Njc4NCwiaXNzIjoiaHR0cHM6XC9cL0hKSTkwLmFkLmdsb2JhbDo4NDQ1XC9pZHBcL09OTElORUJBTktcL2F1dGhuIiwicHJlZmVycmVkX3VzZXJuYW1lIjoic3BsLWN1c3QwMSIsImV4cCI6MTYyODE3MDM4NCwiaWF0IjoxNjI4MTY2Nzg0LCJub25jZSI6InJndTFWak9sMkowSEhJdGQiLCJzaWQiOiJlMGhKUkMxSlFTMDBWQzVUUlZOVFNVOU9MakY5TG1Vd2JGZFFWWEZrT1N0TlZrWnNTbVI0VkZaRWN5OTJjV1ZoWTNOUlZWWlVUVzR3ZFV4Q1ZWZG1UVXRJUTBwR1IyMUdZVEJsUjIwNFdXVklUVXhLWmxabFpWcFdjREJZV1hKNlIzVjBSaXR2U2tRMk1UQnRNbUZRWlV3NGVsRTRWMWxhUTJ3PSJ9.I9GRKO5JxXkeQxIZ6rVGoM_aJm4LDqrC8ftQ9J0b0th1h-jZd8SjHk4pFWMp03kKawpBFUPoL618tAds4KLQtMfF7dFRFOmZrrd8VbAU2hFHlI_1ejpRNmiPMVtxTI9WaCVLii-NrS7cgpU7o0AWOw8DR29QcSey2FUNNVGqjle-wRzjIEH1o29OMufxXs01SkXQy1lxOLpC8rKN1fo7PUFamejQxyBX2KM4QtwT6zTWXT6LAHoEknXdjuR92g9VRYVVs1ANPwOfWQ2L1dr1amV0SfS26lrfenVnio-m9OsGA2x4ULeMZQHjA97rtjUgz4s2fcpS4H0eCCuklcdozA",
    "context": {"LEVEL_OF_ASSURANCE": "1"},
    "token_type": "Bearer",
    "expires_in": 3600
}

Configure Support for PAR

To enable PAR support, you need to configure the following parameters:

You can configure the parameters using:

• Dynamic client registration API:

  Copy

  Sample request for registration:

  POST https://[base-server-url]/{tenant}/authn/register HTTP/1.1
  Authorization: Bearer RTp7HwAAAXtUNk1wQqZ6dlNG43lkYr37UHmsnZgc
   
  {
      "redirect_uris": [
          "http://<hostnanme>/DemoResourceProvider",
          "https://client.example.org/callback",
          "https://client.example.org/callback2"
      ],
      "client_name": "openid client 1",
      "client_id": "client1",
      "hid_client_channel": "CH_IIS",
      "hid_client_pwd_policy": "AT_SYSLOG",
      "hid_client_pki_policy": "AT_EMPPKI",
      "hid_user_channel": "CH_IIS",
      "hid_user_authn_policy": "AT_EMPPWD",
      "hid_sessiontransfer_type": "NUM002",
      "hid_client_group": "USG_SYS",
      "pushed_authorization_request_validity": "60",
      "require_pushed_authorization_requests": "true"
  }

  Copy

  Sample request for update (with minimum parameters)

  PUT https://[base-server-url]/{tenant}/authn/register HTTP/1.1
  Authorization: Bearer RTp7HwAAAXtUNk1wQqZ6dlNG43lkYr37UHmsnZgc
   
  {
      "client_id": "client1",
      "pushed_authorization_request_validity": "300",
      "require_pushed_authorization_requests": "false"
  }

PAR Requests

A PAR request is sent by POST and the body can contain any valid authorization request.

The endpoint accepts the same parameters as the Authentication endpoint except the request_uri parameter.

The PAR request requires client authentication.

POST https://[base-server-url]/{tenant}/authn/par HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Authorization: Bearer RTp7HwAAAXo43UFtpwwHm8Lj5B66rSruZhd4QEuu
 
state=VzRP4nD6iKCKPuRi&nonce=rgu1VjOl2J0HHItd&response_type=code&scope=openid&redirect_uri=http://localhost&client_id=spl-api

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
 
{
    "expires_in": 600,
    "request_uri": "urn:hid:94f52a9a-a5ca-4395-a047-49d14739c3cc"
}

Error Responses

If the PAR endpoint detects errors in the request parameters, it returns an error.

HTTP/1.1 400 Bad Request
 
{
    "error_description": "Invalid, unknown or malformed scope Scope not supported: wrong",
    "error": "invalid_scope"
}

HTTP/1.1 400 Bad Request
 
{
    "error_description": "Invalid request : client_id not match",
    "error": "invalid_request"
}

HTTP/1.1 401 Unauthorized
 
{
    "error_description": "Invalid access token: Bearer token is invalid",
    "error": "invalid_token"
}