PAR: Securing the OAuth and OpenID Connect Front-Channel

OAuth flows need to be initiated anonymously using a Browser. To give the user the optimal experience, various request parameters are required. Manipulating those requests has been one of the most common attack vectors in OAuth.

Application Security

Pushed Authorize Requests (PAR) is a new specification from the OAuth protocol family that solves those problems by adding client authentication to the initial request, and removing the request parameters from the URL altogether.

Learn how PAR works, why we think it should be the default going forward, and which additional scenarios it enables.

Dominick Baier

Dominick spent most of his professional career implementing security systems for his customers and reading protocol specifications. This resulted in a number of popular open-source projects like IdentityServer and IdentityModel. Since 2020 he runs Duende Software Inc together with his longtime friend and colleague Brock Allen. Duende provides a sustainable home for the IdentityServer project and is the one-stop-shop for all things OpenID Connect and OAuth for .NET-based companies.

NDC { Security }

PAR: Securing the OAuth and OpenID Connect Front-Channel

Dominick Baier