Hi,
I’ll try to elaborate:
In the classic authorization code grant, anyone can create an authorization
request and provide arbitrary parameters.
With pushed authorization request the client needs to at first push the
authorization request to the AS, the client receives the request_uri. This
r
Hi,
I can’t see how client authentication prevents request tampering.
Best,
Nikos
> On 29 Nov 2024, at 2:55 PM, Benjamin Häublein
> wrote:
>
> Hi,
>
> the goal of PAR is to protect the parameters of the authorization request
> from tampering.
> If there is no authentication of the client
Hi,
the goal of PAR is to protect the parameters of the authorization request from
tampering.
If there is no authentication of the client anybody could push an authorization
request, and nothing would be gained. Thus, client authentication is required.
Best regards,
Benjamin
Von: Nikos Fotiou
