The security space can be a strange and confusing place for newcomers. In this series of posts, we aim to shed light on the security lingo you may encounter when reading the latest security specifications and scanning your favorite Duende documentation. By the end of this post, you’ll have added one more security phrase to your growing lexicon of security jargon with which to impress your fellow security professionals.
Today’s security lingo is PAR, so let’s discuss what the acronym stands for and where you can see and hear it used.
What is PAR?
Put the golf clubs down and hop out of that cart, PAR isn’t your golf score after taking one too many mulligans. No PAR is the latest feature of improving your application’s security posture, especially if you’re using Duende IdentityServer to implement OAuth 2.0 and OpenID Connect as your security solution provider. So, let’s take a swing at explaining what PAR stands for and why it’s crucial for modern security solutions.
Pushed Authorization Requests (PAR) is a relatively new OAuth standard that enhances the security of OAuth and OpenID Connect flows by relocating authorization parameters from the front channel, where they are typically stored in URL parameters during a client redirect, to the back channel, a machine-to-machine direct call between the client host and server.
From a security perspective, PAR prevents an attacker who has compromised your browser from performing two key actions:
- Seeing authorization parameters (which could leak PII)
- Tampering with those parameters (e.g., the attacker could change the scope of access being requested).
An added benefit is that pushing the authorization parameters reduces the length of request URLs. Authorize URL parameters may become very long when using more complex OAuth and OpenID Connect features, and long URLs can cause hit limits in browsers and networking infrastructures such as proxies.
Duende IdentityServer customers using ASP.NET Core 9 can enable PAR for all the benefits described above, which can be found in our documentation on the topic of Pushed Authorization Requests.
Now, while relaxing at the nineteenth hole and grabbing a drink with friends, you’ll feel more comfortable talking about PAR and the security implications it has on your identity solution. Who knows, it might even help you avoid the awkward topic of how often you hit those sand traps.
We hope you found this post enlightening. If there’s other security lingo you’re unsure about, please let us know in the comments, and we’ll be happy to explain. And while you’re here, please take a moment to explore our range of security products and join our community in our public discussions.