https://www.ory.sh/ logo
#contributors
Title
# contributors
l

late-tiger-78467

10/14/2021, 7:13 AM
@User I have PAR implemented on my Fosite consumer (think of it as another Hydra). I will port that into Fosite when time permits, but want to confirm this is worth doing. Pushed authorization request spec just became a proper RFC in September. Effectively, there's a new PARStorer, a new request handler and a modification to NewAuthorizeRequest.
@high-optician-2097 Was just contemplating. While the spec doesn't dictate that PAR should be enforced on a client, should it be something that should be added as a
PARClient
interface with an
Enforced() boolean
func? The change is small to check and fail a request on the authorize endpoint if PAR is enforced and the request doesn't contain the right request_uri. But it doesn't match the spec exactly. This could also be implemented by consumers (like Hydra) by adding another authorize endpoint handler that performs any enforcement logic that it wants.
4 Views