PAR (Pushed Authorization Requests)

PAR (Pushed Authorization Requests, RFC 9126, 2021) est une extension OAuth 2.0 améliorant sécurité en "poussant" l'authorization request via channel back-end (server-to-server) before user redirect, vs paramètres dans URL. Solve plusieurs problèmes de l'authorization request classique (URL length limits, parameters tampering, leak via Referer/logs).

Problème résolu : authorization request OAuth classique passe tous params (client_id, scope, redirect_uri, code_challenge, state, custom claims) dans URL query string. Problèmes : (1) URL length limits ; (2) referer leaks ; (3) browser history exposure ; (4) intermediate proxies see params ; (5) parameter tampering risk en client untrusted.

Workflow PAR :
(1) Client (server-side) POST /par endpoint à IdP avec tous authorization parameters (client_id, scope, redirect_uri, code_challenge, state, claims).
(2) IdP validates, stores parameters, returns **request_uri** (e.g. `urn:ietf:params:oauth:request_uri:abc123`) avec expires_in (typically 90s).
(3) Client redirect user to `/authorize?client_id=X&request_uri=urn:...:abc123`.
(4) IdP retrieves stored params, processes auth as normal.
(5) Continue avec authorization code flow.

Forces :
(1) **No params in URL** beyond request_uri — no Referer leak, no length limits, no tampering.
(2) **Client authentication** at /par endpoint — confidentiality.
(3) **Required for FAPI 2.0** (Financial-grade API) — mandatory pour banking-grade OAuth.
(4) **Combined with JAR** (JWT-Secured Authorization Request) — signed request objects, integrity.
(5) **Combined with DPoP** — full sender-constrained token chain.

Use cases :
(1) **Open Banking / PSD2** — FAPI compliance.
(2) **Healthcare APIs** — HL7 FHIR profiles.
(3) **Government/eIDAS** authentication.
(4) **Large complex authorization requests** — many claims, scopes (URL would exceed limits).

Adoption :
- **Authlete, ForgeRock, Okta, Ping, Curity** — IdPs supporting.
- **OAuth 2.1** references PAR as recommended.
- **FAPI 2.0** mandatory.
- **Brazilian Open Finance, UK Open Banking, EU PSD2 SCA** — leverage PAR.

Limitations : (1) Adoption lente côté SPAs car requires server-side component ; (2) Library support still maturing ; (3) Adds round-trip latency. Compétences SC-300, AZ-500.