oauth2.dev

pushed_authorization_request_endpoint

IESG

Registry Context

This metadata value is the authorization server's PAR endpoint URL. Clients use it to discover where to POST an authorization request and receive a request_uri value for use at the authorization endpoint.

Technical Summary

pushed_authorization_request_endpoint is an OAuth Authorization Server Metadata parameter whose value is the HTTPS URL of the pushed authorization request endpoint defined by RFC 9126.

When Used

Used by authorization servers that support OAuth 2.0 Pushed Authorization Requests to advertise their PAR endpoint in authorization server metadata.

Normative Requirements

Authorization servers

MUST
1
  1. RFC 9126 - Section 2

    accept its pushed authorization request endpoint URL as a value identifying it as an intended audience.

    Condition: when JWT client assertion-based authentication is used

    the authorization server MUST accept its issuer identifier, token endpoint URL, or pushed authorization request endpoint URL as values that identify it as an intended audience.

authorization servers supporting PAR

SHOULD
1
  1. RFC 9126 - Section 2

    include their pushed authorization request endpoint URL in authorization server metadata using the pushed_authorization_request_endpoint parameter.

    Authorization servers supporting PAR SHOULD include the URL of their pushed authorization request endpoint in their authorization server metadata document.

PAR endpoint URL

MUST
1
  1. RFC 9126 - Section 2

    use the https scheme.

    The PAR endpoint URL MUST use the "https" scheme.

Validation Guidance

error

If present, validate pushed_authorization_request_endpoint as a URL using the https scheme.

warning

For an authorization server that supports PAR, warn if its authorization server metadata omits pushed_authorization_request_endpoint.

error

When testing JWT client assertion audience handling at the PAR endpoint, verify that the authorization server accepts its pushed_authorization_request_endpoint URL as an intended audience value.

Reference

Details

Entry Id
pushed_authorization_request_endpoint
Metadata Name
pushed_authorization_request_endpoint
Metadata Description
URL of the authorization server's pushed authorization request endpoint
Change Controller
IESG
Reference
RFC9126 - Section 5