Add support for OAuth 2.0 Pushed Authorization Requests (PAR)

[TakahikoKawasaki]

PAR (OAuth 2.0 Pushued Authorization Requests).

PAR has a considerably big impact on authorization server implementations, especially if request_uri (OIDC Core 1.0 Section 6.2) is not supported yet. It is recommended that the feature is designed and implemented from the beginning.

[jgrandja]

@TakahikoKawasaki Given that PAR is still in early draft phase, I'm curious if you know of any well-known OIDC providers that have implemented this as an experimental feature?

[TakahikoKawasaki]

PAR is still in draft state but stable. CDR (Consumer Data Right) in Australia has adopted PAR. The official OpenID conformance suite already contains test cases for PAR. It has been determined that PAR will become a component of the next version of Financial-grade API (FAPI).

Authlete, Connect2id and node oidc-provider are examples that support PAR.

[anoopgarlapati]

OAuth 2.0 Pushed Authorization Requests is now published as RFC 9126.

[darkedges]

@TakahikoKawasaki / @jgrandja Started work on this, but I am unsure how to develop it properly in terms of how do I develop in both this project and the spring security project so that I can update that project too. Any examples of how to configure gradle to use the spring security project for the classes instead of the JARs from maven? That way I can complete that update too?

[darkedges]

After taking @jgrandja advise I have rewritten it to be not part of the core packages.
My example is at https://github.com/darkedges/spring-authorization-server-par

However there are a number of issues that I don;t know how to address.

1. I had to modify the way the Authorization Server is configured.
   https://github.com/darkedges/spring-authorization-server-par/blob/main/src/main/java/sample/config/AuthorizationServerConfig.java#L59-L94

   I had to get the RequestMatcher for the default Security from OAuth2AuthorizationServerConfigurer and OAuth2PushedAuthorizationRequestEndpointConfigurer so that I can get access to the AuthenticationManager correcly, due to the way it was not available.
   Further had to do the same for CSRF to allow the POST request to work.

2. Had to create a new OAuth2ClientAuthenticationFilter to handle the JWT client assertion, as I could not hook into the existing one.

3. I am not sure how to extend the Authorization Code Grant code to use the PAR generated to get all the details supplied, to complete the code_challenge

4. Need to extend the metadata endpoint to add in the require_pushed_authorization_requests and pushed_authorization_request_endpoint metadata.,

So I need help with point 3 to understand how to hook into the existing processes withoiut having to develop in the core package, so do I need to raise a Stack Exchange request?

[vanhoanHoang]

Hi,
Do we have any update on the possibility of implementing this spec in Spring AS ?

[jgrandja]

@vanhoanHoang No updates. It's still on hold and is not a priority at the moment.

[jgrandja]

We are currently planning for Spring Authorization Server 1.5 and are considering adding support for PAR.

[jgrandja]

Closing in favour of gh-1925