Re: [OAUTH-WG] PAR: pushed requests must become JWTs

"Richard Backman, Annabelle" <> Wed, 08 January 2020 23:58 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C8BE51201DE for <>; Wed, 8 Jan 2020 15:58:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -14.499
X-Spam-Status: No, score=-14.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id JqQqRPUXo9rP for <>; Wed, 8 Jan 2020 15:58:13 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 517441200A3 for <>; Wed, 8 Jan 2020 15:58:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;;; q=dns/txt; s=amazon201209; t=1578527893; x=1610063893; h=from:to:cc:subject:date:message-id:mime-version; bh=+HJIfU4eT+vL/DKhP4qPxBH1u/v4LbzK7OV7O2OyNMA=; b=TtkQgWac0kh2KAqlz3JQ/gkmOSXS3DEyWW7Z3H+5x8JDFUHzgf0ezLDH MIovciLwNYK0anYKFfKF6r/3sD6nthdXbnpDyRkAkvRUmCGAmD++9a2sz dqrVv2rI4UFdLlqKSkFxvxwNxjz8Skath6lkkgz6hLF/MhTDSK/WQIdmP A=;
IronPort-SDR: Ry/k3hWkDL7wQbTh9ZFa8MNGMJOxgv83eLwpsURHUF9JuiXKtpY/WIel5HznwtL8RNA2W/07Po 4HWeuY1fvBMw==
X-IronPort-AV: E=Sophos; i="5.69,411,1571702400"; d="scan'208,217"; a="17582574"
Received: from (HELO ([]) by with ESMTP; 08 Jan 2020 23:58:12 +0000
Received: from ( []) by (Postfix) with ESMTPS id 6C7ADA18F0; Wed, 8 Jan 2020 23:58:12 +0000 (UTC)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1367.3; Wed, 8 Jan 2020 23:58:11 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1367.3; Wed, 8 Jan 2020 23:58:11 +0000
Received: from ([]) by ([]) with mapi id 15.00.1367.000; Wed, 8 Jan 2020 23:58:11 +0000
From: "Richard Backman, Annabelle" <>
To: Torsten Lodderstedt <>
CC: oauth <>
Thread-Topic: [OAUTH-WG] PAR: pushed requests must become JWTs
Thread-Index: AQHVxn97xAQyO4nozUmjnJjGmsDmTg==
Date: Wed, 08 Jan 2020 23:58:11 +0000
Message-ID: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/10.1d.0.190908
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_8D1DD3BF97B5416AB9146867FD3553B0amazoncom_"
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [OAUTH-WG] PAR: pushed requests must become JWTs
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 08 Jan 2020 23:58:16 -0000

It would be more appropriate to add the text to JAR rather than PAR. It doesn't seem right for PAR to retcon rules in JAR. Moving the text to JAR also highlights the weirdness of giving PAR special treatment.

What if we changed this sentence in Section 5.2 of JAR:

The contents of the resource referenced by the URI MUST be a Request



The contents of the resource referenced by the URI MUST be a Request

Object, unless the URI was provided to the client by the Authorization


This would allow for use cases such as an AS that provides pre-defined request URIs, or vends request URIs via a client management console, or bakes them into their client apps.


Annabelle Richard Backman

AWS Identity

On 1/8/20, 2:50 PM, "Torsten Lodderstedt" <> wrote:


    you are right, PAR does not require the AS to represent the request as a JWT-based request object. The URI is used as internal reference only. That why the draft states

    "There is no need to make the

          authorization request data available to other parties via this


    This difference matters from an AS implementation perspective, it doesn't matter from a client's (interop) perspective.

    We may add a statement to PAR saying that request_uris issued by the PAR mechanism (MAY) deviate from the JAR definition.

    best regards,


    > On 8. Jan 2020, at 23:42, Richard Backman, Annabelle <> wrote:


    > Hi all,


    > The current drafts of PAR (-00) and JAR (-20) require that the AS transform all pushed requests into JWTs. This requirement arises from the following:

    >         • PAR uses the request_uri parameter defined in JAR to communicate the pushed request to the authorization endpoint.

    >         • According to JAR, the resource referenced by request_uri MUST be a Request Object. (Section 5.2)

    >         • Request Object is defined to be a JWT containing all the authorization request parameters. (Section 2.1)


    > There is no need for this requirement to support interoperability, as this is internal to the AS. It is also inconsistent with the rest of JAR, which avoids attempting to define the internal communications between the two AS endpoints. Worse, this restriction makes it harder for the authorization endpoint to leverage validation and other work performed at the PAR endpoint, as the state or outcome of that work must be forced into the JWT format (or retrieved via a subsequent service call or database lookup).


    > –

    > Annabelle Richard Backman

    > AWS Identity


    > _______________________________________________

    > OAuth mailing list