Skip to content

Commit

Permalink
Merge pull request #383 from DuendeSoftware/joe/par-rar
Browse files Browse the repository at this point in the history
Minor wording change
  • Loading branch information
leastprivilege authored Nov 28, 2023
2 parents 3e3f6fd + 155a9e4 commit 1f919bf
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions IdentityServer/v7/docs/content/tokens/par.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ This prevents an attacker in the browser from
- seeing authorization parameters (which could leak PII) and from
- tampering with those parameters (e.g., the attacker could change the scope of access being requested).

Pushing the authorization parameters also keeps request URLs short. Authorize parameters might get very long when using more complex OAuth and OIDC features such as Rich Authorization Requests, and URLs that are long cause issues in many browsers and networking infrastructure.
Pushing the authorization parameters also keeps request URLs short. Authorize parameters might get very long when using more complex OAuth and OIDC features, and URLs that are long cause issues in many browsers and networking infrastructure.

The use of PAR is encouraged by the [FAPI working group](https://openid.net/wg/fapi/) within the OpenID Foundation. For example, [the FAPI2.0 Security Profile](https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html) requires the use of PAR. This security profile is used by many of the groups working on open banking (primarily in Europe), in health care, and in other industries with high security requirements.

Expand All @@ -26,4 +26,4 @@ Duende.IdentityServer includes support for PAR in the Business Edition or higher
- The *Client* configuration object now includes two new properties to configure PAR on a per-client basis.
- *Client.RequirePushedAuthorization* controls if this client requires PAR. PAR is required if either the global configuration is enabled or if the client's flag is enabled (this can't be used to opt out of the global configuration). This defaults to *false*, which means the global configuration will be used.
- *Client.PushedAuthorizationLifetime* controls the lifetime of pushed authorization requests for a client. If this lifetime is set, it takes precedence over the global configuration. This defaults to *null*, which means the global configuration is used.
- The *EndpointOptions* now includes a new flag to enable or disable the PAR endpoint: *EnablePushedAuthorizationEndpoint*, which defaults to *true*.
- The *EndpointOptions* now includes a new flag to enable or disable the PAR endpoint: *EnablePushedAuthorizationEndpoint*, which defaults to *true*.

0 comments on commit 1f919bf

Please sign in to comment.