I know this is a bit of an old thread to dig up, but as I'm working through
this draft again, something is sticking out to me about this.
In every other instance of "*_uri" in OAuth and extensions, the value is a
URI (usually https) which will be visited by the user's browser or be sent
a POST request from a client. In the case of PAR, this "request_uri" is
actually just an identifier that is *added* to an existing URL, the
authorization endpoint, not a URL that will be visited itself. This
discrepancy is bothering me.
I would have expected that either:
* The PAR response includes a "request_uri" which is the full URL that the
client would redirect the user's browser to, OR
* The PAR response includes a "request_id" which it adds in the query
string to the authorization endpoint and then redirects the browser to
For example:
POST /as/par HTTP/1.1
....
response:
{
"request_uri": "
https://as.example.com/auth?request=bwc4JK-ESC0w8acc191e-Y1LTC2";,
"expires_in": 60
}
then the user's browser is sent to whatever the value of "request_uri" is
OR
POST /as/par HTTP/1.1
....
response:
{
"request_id":
"urn:ietf:params:oauth:request_uri:bwc4JK-ESC0w8acc191e-Y1LTC2",
"expires_in": 60
}
then the "request_id" is added to the authorization endpoint (as currently
described by PAR)
https://as.example.com/auth?
client_id=s6BhdRkqt3&request_uri=urn%3Aietf%3Aparams
%3Aoauth%3Arequest_uri%3Abwc4JK-ESC0w8acc191e-Y1LTC2
My personal preference is the first option, keeping the term "request_uri"
but having it actually be the full URI, to simplify the job of the client.
In that model, the client doesn't have to mess with building URLs, and
actually provides additional flexibility for the AS as well since that
endpoint no longer needs to be the exact same URL as the authorization
endpoint.
---
Aaron Parecki
https://aaronparecki.com
On Thu, Jan 16, 2020 at 8:25 AM Torsten Lodderstedt <torsten=
40lodderstedt....@dmarc.ietf.org> wrote:
> I just thought about another option. What if we change PAR to not use the
> request_uri parameter but a new parameter, e.g. request_id?
>
> That would decouple both specs. The reason why we use request_uri was to
> make the life of clients easier since they can use the standard library
> function for request objects to pass the PAR reference to the AS. Is this
> worth the trouble?
>
> Am 16.01.2020 um 16:48 schrieb Justin Richer <jric...@mit.edu>:
>
> +1 to this approach, and it sounds like JAR might need to come back to go
> through another round anyway thanks to the breaking changes the IESG pushed
> into it after it left WGLC.
>
> I’d rather see us get this right than publish something many of us think
> is broken.
>
> Maybe PAR and JAR (and JARM?) end up going out as a bundle of specs.
>
> — Justin
>
>
>
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
