[OAUTH-WG] Re: PAR and client authentication

Fri, 29 Nov 2024 06:06:45 -0800 

Hi,

I’ll try to elaborate:

In the classic authorization code grant, anyone can create an authorization 
request and provide arbitrary parameters.

With pushed authorization request the client needs to at first push the 
authorization request to the AS, the client receives the request_uri. This 
request_uri is then required in the authorization request and more or less 
replaces the normal parameters provided in an authorization request with those 
provided in the PAR.

If anyone can make the pushed authorization request, nothing is won, as anyone 
can send his own parameters to the AS and retrieve a request_uri.

If authentication is required with pushed authorization requests, only the 
client has control over the parameters that are sent to the AS and parameter 
tampering is not possible anymore.

Best,
Benjamin


Von: Nikos Fotiou <fot...@aueb.gr>
Gesendet: Freitag, 29. November 2024 14:51
An: Benjamin Häublein <benjamin.haeubl...@cirosec.de>
Cc: oauth@ietf.org
Betreff: Re: [OAUTH-WG] PAR and client authentication

Hi,
I can’t see how client authentication prevents request tampering.

Best,
Nikos



On 29 Nov 2024, at 2:55 PM, Benjamin Häublein 
<benjamin.haeubl...@cirosec.de<mailto:benjamin.haeubl...@cirosec.de>> wrote:

Hi,

the goal of PAR is to protect the parameters of the authorization request from 
tampering.
If there is no authentication of the client anybody could push an authorization 
request, and nothing would be gained. Thus, client authentication is required.

Best regards,
Benjamin
Von: Nikos Fotiou <fot...@aueb.gr<mailto:fot...@aueb.gr>>
Gesendet: Freitag, 29. November 2024 13:11
An: oauth@ietf.org<mailto:oauth@ietf.org>
Betreff: [OAUTH-WG] PAR and client authentication

Hi,
I was wondering why in PAR the client authenticates itself also to the 
authorization endpoint 
(https://datatracker.ietf.org/doc/html/rfc9126#section-2.1).

Best,
Nikos

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-le...@ietf.org

Reply via email to