Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

<@U010F2N7G2X> I have PAR implemented on my Fosite consumer (think of it as another Hydra). I will port that into Fosite when time permits, but want to confirm this is worth doing. Pushed authorization request spec just became a proper RFC in September. Effectively, there's a new PARStorer, a new request handler and a modification to NewAuthorizeRequest.

<https://github.com/ory/fosite/pull/629> - PAR implemented.

<@U010F2N7G2X> Was just contemplating. While the spec doesn't dictate that PAR should be enforced on a client, should it be something that should be added as a `PARClient` interface with an `Enforced() boolean`  func? The change is small to check and fail a request on the authorize endpoint if PAR is enforced and the request doesn't contain the right request_uri. But it doesn't match the spec exactly.

This could also be implemented by consumers (like Hydra) by adding another authorize endpoint handler that performs any enforcement logic that it wants.