features.pushedAuthorizationRequests

RFC9126 - OAuth 2.0 Pushed Authorization Requests (PAR)

Specifies whether Pushed Authorization Request capabilities shall be enabled. When enabled, the authorization server shall expose a pushed authorization request endpoint that allows clients to lodge authorization request parameters at the authorization server prior to redirecting end-users to the authorization endpoint, enhancing security by removing the need to transmit parameters via query string parameters.

default value:

{
  allowUnregisteredRedirectUris: false,
  enabled: true,
  requirePushedAuthorizationRequests: false
}

(Click to expand) features.pushedAuthorizationRequests options details

allowUnregisteredRedirectUris

Specifies whether unregistered redirect_uri values shall be permitted for authenticated clients using PAR that do not utilize a sector_identifier_uri. This configuration enables dynamic redirect URI specification within the security constraints of the pushed authorization request mechanism.

default value:

false

requirePushedAuthorizationRequests

Specifies whether PAR usage shall be mandatory for all authorization requests as an authorization server security policy. When enabled, the authorization server shall reject authorization endpoint requests that do not utilize the pushed authorization request mechanism.

default value:

false

---