Pushed Authorization Request

Applications can use a pushed authorization request (PAR) to securely initiate authorization flows. A PAR allows applications to send their authorization requests directly to PingOne without going through the browser, which safeguards sensitive data from end-user devices.

With a PAR, an application can push an authorization request payload to PingOne with a direct back-channel request, which is a more secure method of sending sensitive data, such as personally identifiable information, than sending it with a browser on the front channel.

The POST /{{envID}}/as/par endpoint accepts the same request parameters as /{{envID}}/as/authorize, as well as any additional parameters needed for client authentication. It can accept signed and unsigned requests. Requests must be less than 1MB.

After PingOne validates the request and saves the payload, it returns the request_uri parameter as a reference to the payload. The response also indicates the lifetime of the request URI. The default lifetime is 60 seconds.

The application then uses the front channel to request an authorization code or token, sending the request_uri parameter to PingOne. PingOne uses the request URI to look up the request payload and continue the authorization flow. PingOne accepts a particular request URI only once.

For more information on the PAR specification, refer to RFC 9126.