Re: [OAUTH-WG] PAR: pushed requests must become JWTs

Torsten Lodderstedt <> Wed, 08 January 2020 22:50 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E4D6312010C for <>; Wed, 8 Jan 2020 14:50:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id fCMsVhtMrNht for <>; Wed, 8 Jan 2020 14:50:22 -0800 (PST)
Received: from ( [IPv6:2a00:1450:4864:20::333]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6CC68120072 for <>; Wed, 8 Jan 2020 14:50:22 -0800 (PST)
Received: by with SMTP id p17so710757wmb.0 for <>; Wed, 08 Jan 2020 14:50:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=c2GD3INB5d7vOQ+CpCaDWGS0hO2W3ALgclc7Qh1rN9c=; b=g94jkKp/CW1/RGYYhM04kN5B/FKMiAjX3mmr/jGFwziMueNfFfL4Qj/B47SnjYBJjU a/RyCsZTC4+vIxYIC2jUxMYJdvyQWGNet6zReHK9VPQt0aqOzWBydXQENSSxAOom4NuE U2AMKsWdR4vnt8AkPihu4cOtba55DC35ZUqCCw8OpBVHv2xcCF1Dkr4/t09FBOFNVJeV 6ypE1WGhPUdlKepxAIDLlQLQH4KdfCcUDGMeqxrj+mBq5qySRvICKg8ux0Kl90VJ/YNy VINsIOGBs3X57wv+AbA6NS+coJfrCDRFct96SJmOLbQflJix66lEZnkSP/IX41zFiP4e ftTA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=c2GD3INB5d7vOQ+CpCaDWGS0hO2W3ALgclc7Qh1rN9c=; b=D2StKDj2dQAJ+eVv1NgZMH+1e7LLxJk1nQWgaaf4u2LStyJ/ezvdsg4CKjAoDXzgGa YlNAxLwRrh4Ba5AZoS8ROIu4FZKAoVUMbeG9qkT+CsH5KbdrlwH+7/mJDBpBKWYMvwyY 5ImxkqkAgPcJm45h0VTsLNFZ7KbBkOH3RFF3scVYw9FB8Du4B9l3H+Qm1sm+34/UsUa+ oCyzlIPCvDD8cPTE3mp8kTsCqOu1wpllqSWNiH9BGzcZUXEIU3j3l1DS5umx/dgZmOnh eKO4L0kbCEtLhvBQTz0z1zvopGb383VxQ1hE7yG6zFI4S/rVSuXfqPOj7eK2O1VAQk4S 2lMw==
X-Gm-Message-State: APjAAAW7Kl7hwrBQ9/yG1/hQaOwwWqYumYwNaM6M69Y6Z9AYqWKD6NN7 jebrtb1J0vzMYV9cyshO8sxoJA==
X-Google-Smtp-Source: APXvYqzuemxV08nqxgKodCk+Wehq/pqpci6hvIimkjItpBaU1EqKqzrL8L5+zfNBt+awEYX7z343lQ==
X-Received: by 2002:a1c:ded6:: with SMTP id v205mr972588wmg.86.1578523820261; Wed, 08 Jan 2020 14:50:20 -0800 (PST)
Received: from [] ([]) by with ESMTPSA id m7sm5888075wrr.40.2020. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 08 Jan 2020 14:50:19 -0800 (PST)
From: Torsten Lodderstedt <>
Message-Id: <>
Content-Type: multipart/signed; boundary="Apple-Mail=_8EFABC67-6C97-454D-B03B-C2EB264963A4"; protocol="application/pkcs7-signature"; micalg="sha-256"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.\))
Date: Wed, 08 Jan 2020 23:49:26 +0100
In-Reply-To: <>
Cc: oauth <>
To: "Richard Backman, Annabelle" <>
References: <>
X-Mailer: Apple Mail (2.3608.
Archived-At: <>
Subject: Re: [OAUTH-WG] PAR: pushed requests must become JWTs
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 08 Jan 2020 22:50:25 -0000


you are right, PAR does not require the AS to represent the request as a JWT-based request object. The URI is used as internal reference only. That why the draft states 

"There is no need to make the
      authorization request data available to other parties via this

This difference matters from an AS implementation perspective, it doesn't matter from a client's (interop) perspective.

We may add a statement to PAR saying that request_uris issued by the PAR mechanism (MAY) deviate from the JAR definition. 

best regards,

> On 8. Jan 2020, at 23:42, Richard Backman, Annabelle <> wrote:
> Hi all,
> The current drafts of PAR (-00) and JAR (-20) require that the AS transform all pushed requests into JWTs. This requirement arises from the following:
> 	• PAR uses the request_uri parameter defined in JAR to communicate the pushed request to the authorization endpoint.
> 	• According to JAR, the resource referenced by request_uri MUST be a Request Object. (Section 5.2)
> 	• Request Object is defined to be a JWT containing all the authorization request parameters. (Section 2.1)
> There is no need for this requirement to support interoperability, as this is internal to the AS. It is also inconsistent with the rest of JAR, which avoids attempting to define the internal communications between the two AS endpoints. Worse, this restriction makes it harder for the authorization endpoint to leverage validation and other work performed at the PAR endpoint, as the state or outcome of that work must be forced into the JWT format (or retrieved via a subsequent service call or database lookup).
> – 
> Annabelle Richard Backman
> AWS Identity
> _______________________________________________
> OAuth mailing list