PAR Endpoint

The PAR endpoint enables support for pushed authorization requests (PAR) to enhance the security and privacy of the exchange between the client application and HID Authentication Service. Instead of exposing the client's parameters of an authorization request in the URL query string, the parameters are posted to the HID Authentication Service using a backchannel.

HID Authentication Service checks the parameters and generates a request URI to represent the request object if they are valid. This URI then serves as a reference for the request in a subsequent calls to the Authentication endpoint.

For further information about PAR, see the specifications OAuth 2.0 Pushed Authorization Requests

Copy

The endpoint is exposed at the following URL (and can be obtained from the server discovery endpoint):

https://[base-server-url]/{tenant}/authn/par [POST]

Method Details

POST

PAR in the Authentication Flow

Once the request_uri is returned by PAR endpoint, it can be sent to the Authentication endpoint as a parameter to continue with the authentication process.

Copy

Sample request

https://[base-server-url]/{tenant}/authn/login?request_uri=urn:hid:43d5b009-7b52-4d6f-a8a9-0d8de27968f9&client_id=spl-api&response_type=code&scope=openid+profile

HID Authentication Service redirects the user to the relevant login page.

If the authentication is successful, the authorization code is sent to the redirect_uri of the OpenID client.

Copy

Sample authorization code

http://localhost/?code=22454157&context=LEVEL_OF_ASSURANCE%3A1%3Afalse+PARAMETER_AUTHENTICATION_TYPE_CODE%3AAT_CUSTPW%3Afalse+&state=VzRP4nD6iKCKPuRi

The client application then uses the code to get the access token from the Token endpoint.

Copy

Sample request

POST https://[base-server-url]/{tenant}/authn/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Authorization: Bearer RTp7HwAAAXsWTg+2HVgFnmEk5+RSlbfMN57kn1zG
Content-Length: 120
Host: <hostname>
User-Agent: Apache-HttpClient/4.5.2 (Java/1.8.0_291)
 
code=22454157&client_id=spl-api&redirect_uri=http%3A%2F%2Flocalhost&scope=openid%20profile&grant_type=authorization_code

Copy

Sample response

HTTP/1.1 200 OK
 
{
    "access_token": "hamFwQAAAXsWTYUr2beCbVgEtLkrUPDmpcCWJ9FG",
    "id_token": "eyJraWQiOiIxNjI4MDk5NTkxMDI4IiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYifQ.eyJhdF9oYXNoIjoiWW8xRlRvRmwyV3ktTGtSUUdoUEhlQSIsInN1YiI6InNwbC1jdXN0MDEiLCJhdWQiOiJzcGwtYXBpIiwiYWNyIjoiMSIsImF1dGhfdGltZSI6MTYyODE2Njc4NCwiaXNzIjoiaHR0cHM6XC9cL0hKSTkwLmFkLmdsb2JhbDo4NDQ1XC9pZHBcL09OTElORUJBTktcL2F1dGhuIiwicHJlZmVycmVkX3VzZXJuYW1lIjoic3BsLWN1c3QwMSIsImV4cCI6MTYyODE3MDM4NCwiaWF0IjoxNjI4MTY2Nzg0LCJub25jZSI6InJndTFWak9sMkowSEhJdGQiLCJzaWQiOiJlMGhKUkMxSlFTMDBWQzVUUlZOVFNVOU9MakY5TG1Vd2JGZFFWWEZrT1N0TlZrWnNTbVI0VkZaRWN5OTJjV1ZoWTNOUlZWWlVUVzR3ZFV4Q1ZWZG1UVXRJUTBwR1IyMUdZVEJsUjIwNFdXVklUVXhLWmxabFpWcFdjREJZV1hKNlIzVjBSaXR2U2tRMk1UQnRNbUZRWlV3NGVsRTRWMWxhUTJ3PSJ9.I9GRKO5JxXkeQxIZ6rVGoM_aJm4LDqrC8ftQ9J0b0th1h-jZd8SjHk4pFWMp03kKawpBFUPoL618tAds4KLQtMfF7dFRFOmZrrd8VbAU2hFHlI_1ejpRNmiPMVtxTI9WaCVLii-NrS7cgpU7o0AWOw8DR29QcSey2FUNNVGqjle-wRzjIEH1o29OMufxXs01SkXQy1lxOLpC8rKN1fo7PUFamejQxyBX2KM4QtwT6zTWXT6LAHoEknXdjuR92g9VRYVVs1ANPwOfWQ2L1dr1amV0SfS26lrfenVnio-m9OsGA2x4ULeMZQHjA97rtjUgz4s2fcpS4H0eCCuklcdozA",
    "context": {"LEVEL_OF_ASSURANCE": "1"},
    "token_type": "Bearer",
    "expires_in": 3600
}

Note: Once the request_uri is used by the authorization code flow to get the authorization code, the request is invalidated (deleted from the database), and cannot be re-used. If an attempt is made to reuse the request_uri an error page will be returned.

Configure Support for PAR

To enable PAR support, you need to configure the following parameters:

Parameter Description

Parameter	Description
`pushed_authorization_request_validity`	Defines the validity period of the PAR request (in seconds and must be greater than 0) The default value is 600 Note: In the specifications OAuth 2.0 Pushed Authorization Requests, the recommended values are 5-600 seconds.

pushed_authorization_request_validity

Defines the validity period of the PAR request (in seconds and must be greater than 0)

The default value is 600

Note: In the specifications OAuth 2.0 Pushed Authorization Requests, the recommended values are 5-600 seconds.

You can configure the parameters using:

Dynamic client registration API:

Copy

Sample request for registration:

POST https://[base-server-url]/{tenant}/authn/register HTTP/1.1
Authorization: Bearer RTp7HwAAAXtUNk1wQqZ6dlNG43lkYr37UHmsnZgc
 
{
    "redirect_uris": [
        "http://<hostnanme>/DemoResourceProvider",
        "https://client.example.org/callback",
        "https://client.example.org/callback2"
    ],
    "client_name": "openid client 1",
    "client_id": "client1",
    "hid_client_channel": "CH_IIS",
    "hid_client_pwd_policy": "AT_SYSLOG",
    "hid_client_pki_policy": "AT_EMPPKI",
    "hid_user_channel": "CH_IIS",
    "hid_user_authn_policy": "AT_EMPPWD",
    "hid_sessiontransfer_type": "NUM002",
    "hid_client_group": "USG_SYS",
    "pushed_authorization_request_validity": "60",
    "require_pushed_authorization_requests": "true"
}

Copy

Sample request for update (with minimum parameters)

PUT https://[base-server-url]/{tenant}/authn/register HTTP/1.1
Authorization: Bearer RTp7HwAAAXtUNk1wQqZ6dlNG43lkYr37UHmsnZgc
 
{
    "client_id": "client1",
    "pushed_authorization_request_validity": "300",
    "require_pushed_authorization_requests": "false"
}

PAR Requests

A PAR request is sent by POST and the body can contain any valid authorization request.

The endpoint accepts the same parameters as the Authentication endpoint except the request_uri parameter.

The PAR request requires client authentication.

Note: Only confidential clients can send PAR requests.

Copy

Sample request:

POST https://[base-server-url]/{tenant}/authn/par HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Authorization: Bearer RTp7HwAAAXo43UFtpwwHm8Lj5B66rSruZhd4QEuu
 
state=VzRP4nD6iKCKPuRi&nonce=rgu1VjOl2J0HHItd&response_type=code&scope=openid&redirect_uri=http://localhost&client_id=spl-api

Copy

Sample successful PAR response which returns the request_uri and the validity period of the request

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
 
{
    "expires_in": 600,
    "request_uri": "urn:hid:94f52a9a-a5ca-4395-a047-49d14739c3cc"
}

Error Responses

If the PAR endpoint detects errors in the request parameters, it returns an error.

Code	Label	Possible Errors
400	BAD REQUEST	invalid_scope invalid_request
401	UNAUTHORIZED	invalid_token
403	FORBIDDEN	insufficient_scope
500	INTERNAL SERVER ERROR	server_error

Copy

HTTP/1.1 400 Bad Request
 
{
    "error_description": "Invalid, unknown or malformed scope Scope not supported: wrong",
    "error": "invalid_scope"
}

Copy

HTTP/1.1 400 Bad Request
 
{
    "error_description": "Invalid request : client_id not match",
    "error": "invalid_request"
}

Copy

HTTP/1.1 401 Unauthorized
 
{
    "error_description": "Invalid access token: Bearer token is invalid",
    "error": "invalid_token"
}