Pushing the Boundaries of OAuth and OIDC Security - Push Authorization Request (PAR)
- Sagara Gunathunga
- Director - WSO2
In the world of API security, OAuth 2.0 plays a crucial role in authorization. OpenID Connect (OIDC) works seamlessly with OAuth 2.0, providing an identity layer that ensures standardized authentication and user information for applications. Among various grant types, the Authorization Code stands out as a recommended standard. It's known for its advanced security features, support for refresh tokens, reduced exposure of credentials, and adaptability for both server-side and front-end applications.
Challenges Lurking in the Shadows
Let's explore the Authorization Code grant flow journey through a simple diagram. It illustrates the interaction among an application (OAuth2 client/OIDC RP), an Authorization Server, and the user agent (typically a web browser). It begins with the authorization request, carried out through an HTTP Get call, portraying a secure process. Yet, beneath the surface, challenges come into view.
Figure 1
Not-So-Perfect Authorization Code
While the Authorization Code grant type is hailed for its security, it's not flawless, especially in tightly regulated industries like finance. The use of user agents, such as browsers, introduces flaws tied to the initial authorization request. Considerations include:
- Integrity Concerns: No guarantee that request parameters remain unaltered during transmission, lacking cryptographic integrity techniques.
- Confidentiality Challenges: Data transmitted via the authorization request is exposed, and susceptible to leaks and server log entries.
- Size Matters: In industry-specific scenarios like open banking, the authorization requests URL can grow unwieldy for browsers.
- Delayed Authentication: Client authentication with the Authorization Server waits until the final token request, viewed by some as a potential drawback.
Introducing Push Authorization Request (PAR)
To handle these issues, we need to enhance the current grant type. Although OAuth2 Security Best Practice provides suggestions to reduce security risks, it doesn't address all the mentioned concerns. This is where the OAuth2 Push Authorization Request (PAR) specification comes in— designed to revamp Authorization Code flows.
Two-Step Symphony
The PAR specification orchestrates a two-step process, redefining the Authorization Code grant type. In the first act, the client initiates a secure, direct HTTP POST request to the new PAR endpoint of the authorization server. This step excludes user agents, ensuring airtight security and sidestepping associated flaws.
Figure 2
The authorization server validates the request parameters and rewards the client with a reference value known as a request_uri. Noteworthy here is the support for client authentication, bringing confidentiality to the initial stages of the protocol flow.
The second act mirrors the standard Authorization Code grant type's authorization request, with a twist. Instead of transmitting actual request parameters, the client employs the received request_uri in an HTTP GET request to the Authorization Server's authorization endpoint. The Authorization Server, now satisfied, issues the client an authorization grant (code), paving the way for the customary token request.
Harnessing the Power of PAR
The PAR endpoint goes beyond handling single request parameters. It's innovative, accepting parameters encoded within a request object, following the OpenID Connect protocol. This request object, a JWT, lets clients use cryptographic protection with JWT Web Signature (JWS) and JWT Web Encryption (JWE).
PAR adoption isn't just a concept; it's gaining popularity in sectors prioritizing security. See its effectiveness in Financial-grade APIs Part 2, Australian Consumer Data Right (CDR), and Open Banking initiatives in Brazil.
Asgardeo is aligned with this initiative supporting the PAR specification. Enhance the security of your Authorization Code flows in APIs and applications. Explore Asgardeo's PAR support details here and find a practical guide here.
If you use WSO2 Identity Server for on-premise identity management, good news! The upcoming WSO2 IS 7.0 release brings PAR support, ensuring smooth integration of security and innovation.
In the ongoing evolution of OAuth and OIDC, PAR takes center stage, enhancing security and reshaping Authorization Code flows. Embrace these changes, enhance your application security, and stay tuned for the unfolding story.