Protocol Action: 'OAuth 2.0 Pushed Authorization Requests' to Proposed Standard (draft-ietf-oauth-par-10.txt)

The IESG <> Fri, 30 July 2021 00:50 UTC

Return-Path: <>
Received: from (localhost [IPv6:::1]) by (Postfix) with ESMTP id 3E1EC3A0F3A; Thu, 29 Jul 2021 17:50:31 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: The IESG <>
To: "IETF-Announce" <>
Subject: Protocol Action: 'OAuth 2.0 Pushed Authorization Requests' to Proposed Standard (draft-ietf-oauth-par-10.txt)
X-Test-IDTracker: no
X-IETF-IDTracker: 7.35.0
Auto-Submitted: auto-generated
Precedence: bulk
Cc: The IESG <>,,,,,,
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-ID: <>
Date: Thu, 29 Jul 2021 17:50:31 -0700
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: "IETF announcement list. No discussions." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 30 Jul 2021 00:50:31 -0000

The IESG has approved the following document:
- 'OAuth 2.0 Pushed Authorization Requests'
  (draft-ietf-oauth-par-10.txt) as Proposed Standard

This document is the product of the Web Authorization Protocol Working Group.

The IESG contact persons are Benjamin Kaduk and Roman Danyliw.

A URL of this Internet Draft is:

Technical Summary

   This document defines the pushed authorization request endpoint,
   which allows clients to push the payload of an OAuth 2.0
   authorization request to the authorization server via a direct
   request and provides them with a request URI that is used as
   reference to the data in a subsequent call to the authorization

Working Group Summary

  The document changes the way to interact with the authorization 
  request endpoint. The use of this work is envisioned within the 
  finance sector.  

Document Quality

Based on feedback provided by participants of the OAuth working group
the following implementations of PAR are available:

Open source framework implementing PAR (with optional JWSREQ) in Golang:

Authlete supports PAR and has passed the PAR test cases in the OpenID
conformance suite. Documents mentioning Authlete's PAR support are here:

The Node.js open source openid-client project:

Glewlwyd 2.5.2 supports PAR:

PAR is supported by the Connect2id server and the the open source OAuth 2.0 / OIDC SDK, 
which has also been picked up by some downstream security frameworks and projects:

The Yes Signing Flow is based on PAR and therefore implemented by our banks (> 1000).
A python client for the yes signing flow is publicly available that uses PAR:	

Authress supports PAR.

The Node.js open source oidc-provider project implements PAR behind a feature flag:

The open source project "Loginbuddy" implements PAR and the functionality is 
documented here:

PingFederate has officially released PAR, see

Finally, ForgeRock plans to implement PAR.


Hannes Tschofenig is the document shepherd 

Roman Danyliw is the the responsible area director