Push authorization: real-time security that actually works

As data breaches and unauthorized access become rampant, organizations face immense pressure to safeguard sensitive information during authorization.

Securing sensitive information during user authorization—that critical moment of access—is paramount. Yet, traditional methods for handling OAuth authorization requests expose vulnerabilities like unguarded windows in our digital walls as critical data transits through user agents.

Enter Pushed Authorization Requests (PAR) – a solution to tackle these challenges head-on. Think of it as replacing those vulnerable windows with reinforced steel doors, significantly bolstering your defences against malicious actors.

One of the key weaknesses PAR addresses lies within the traditional OAuth flow. Imagine a scenario where, malicious applications or browser extensions could potentially manipulate authorization request parameters within the user's browser.

This could lead to unauthorized scopes and sensitive information being exposed. By ensuring that the authorization server validates the entire request based on pre-registered parameters tied to a unique request URI, PAR effectively eliminates the risk of client-side parameter tampering.

As the digital landscape evolves with increasingly sophisticated threats, adopting security best practices like PAR is no longer optional – it's a fundamental necessity for building resilient and trustworthy applications.

What is Pushed authorization request (PAR) 

Imagine a scenario where a client application needs access to a user's data from an authorization server. Usually, this would involve redirecting the user's browser with all the request parameters included in the URL. This risks exposing sensitive information and is restrictive due to URL length constraints.

PAR transforms this process by allowing the client application to push the authorization request directly to the server via a secure back channel. 
The PAR endpoint provides enhanced security and cryptographic integrity when used with the authorization code grant flow and optionally in conjunction with PKCE.

It lets the authorization server authenticate the client before making an authorization request to ensure early detection of invalid or illegal requests.
Responding to this pre-authorization backchannel request, the client receives a request URL to reference the payload data in subsequent interactions with the server. 

Benefits of using PAR

Security perspective

• Tamper-proof authorization flows: By moving sensitive parameters from front-channel browser requests to backchannel server-to-server communication, PAR eliminates risks of URL parameter manipulation and exposure to browser logs.
• Client authentication: PAR allows authorization servers to authenticate clients before user interaction begins, preventing unauthorized or spoofed requests early in the process.
  
  

Compliance and regulatory advantages

• GDPR/privacy alignment: PAR minimizes data leakage risks by avoiding front-channel transmission of parameters like scope or redirect_uri, aiding compliance with privacy regulations.
• Auditability: Centralized handling of authorization requests simplifies audit trails essential for regulated industries.

Technical benefits

• Shorter URLs: Complex authorization requests with lengthy parameters (e.g., Rich Authorization Requests) are reduced to a compact request_uri, avoiding browser URL length limitations.
• Early validation: PAR validates parameters at the /par endpoint before user redirection, reducing errors and improving user experience compared to traditional flows where errors surface post-redirect.

PAR implementation

To use PAR in OAuth requests, we must implement a PAR endpoint in the authorization server. PAR lets the authorization server authenticate the client before making an authorization request to ensure early detection of invalid or illegal requests.

The process flow is explained below.

• The client application sends an authorization request to the PAR endpoint of the authorization server.
• The authorization server authenticates the application client, validates and stores the request. Then, it replies with a response containing the authorization request's identifier (request_uri) and the validity time (expires_in).
• The client application uses the request_uri to build the authorization request URL for the user's browser and redirects it to the authorization server. The authorization request URL will look like the following:https://your-authorization-server.com/authorize?client_id=...&request_uri=xyz
• The user's browser sends a GET request to the authorization server using the authorization request URL received by the client application. The authorization server retrieves the authorization request identified by the request_uri value, and from now on, the usual steps of the requested OAuth flow are carried out.

How PAR tackles real-world security challenges 

Pushed Authorization Request (PAR) improves security and compliance by allowing client applications to send authorization request details directly to the authorization server through a secure, back-channel request. This avoids exposing sensitive data in the browser or app URL and supports regulatory and security requirements.

Not using PAR where sensitive data or financial transactions are involved increases the risk of interception or misuse. In regulated industries, skipping PAR can lead to compliance failures. Even outside legal mandates, omitting PAR in high-risk contexts is a serious security oversight.

Compliance and regulatory alignment

 PAR is essential for meeting stringent security standards and regulatory requirements:

• It is required by the Financial-grade API (FAPI) 2.0 Security Profile, which governs secure data sharing in financial services like open banking.
• It helps meet geo-specific mandates, such as Australia’s Consumer Data Right (CDR), by ensuring secure and verifiable authorization flows.
• In regulated sectors like financial services and healthcare, failing to implement PAR may result in non-compliance with mandated security frameworks.

Security and UX benefits across applications

• Single page applications (SPAs): The backend server can generate and push the authorization request, reducing exposure in the browser and enhancing front-end simplicity.
• Mobile apps: Mobile clients can prepare the request and hand it off to the browser securely, improving flow reliability and user experience.

Industry use cases

• Banking & financial services: Secure transaction approval and account access in mobile and web banking.
• Healthcare: Controlled access to sensitive patient data, ensuring only authorized users gain access.
• IoT: Limits device control to verified mobile apps, preventing unauthorized device access.
• E-commerce & Marketplaces: Secures payment and personal data during user login and purchase flows.

Industry adoption

• FAPI-driven adoption: Required by FAPI 2.0, PAR is rapidly becoming standard in secure APIs.
• Platform Integration: Frameworks like ASP.NET Core and Spring Security have added PAR support.
• Identity Provider Support: Providers such as Auth0, Curity, and
• Ping Identity have integrated PAR, showcasing its importance in modern OAuth security strategies.

Challenges and considerations

Client-side adjustments: While minimal, clients must adopt new workflows to push requests to the PAR endpoint. This includes methods to construct, authenticate and transmit authorization requests. 

The organisation may face challenges while implementing secure back-channel communications, updating authentication methods, handling new flow logic with request URI, improving error handling, and ensuring compatibility and security.

Server overhead: Server-side challenges for a PAR endpoint revolve around secure authentication, robust validation, efficient state management, scalability, strict standards compliance, and effective error handling. These are critical for maintaining the security and reliability of the OAuth authorization process as described below. 

Nagarro's approach to PAR 

Pushed Authorization Requests (PAR) represent a shift in OAuth 2.0 security, addressing long-standing vulnerabilities while enabling compliance and usability improvements.

By enhancing security and privacy in 0Auth2.0, Pushed Authorization Requests ensure that sensitive authorization details aren't exposed during transmission.

This makes it an essential tool for developers looking to implement more secure authorization flows, particularly in sectors (such as financial services and healthcare) that require stringent data protection measures.

At Nagarro, we've cultivated deep expertise in Identity and Access Management (IAM) as a foundational element of our cybersecurity practice. PAR implementation requires a nuanced understanding of both client and server-side architecture.

We have systematically addressed the technical challenges inherent in configuring PAR endpoints, establishing robust client authentication mechanisms, and implementing comprehensive request validation processes.

Through our work, we've explored the interplay between PAR and complementary OAuth extensions, recognizing how these elements function together to create coherent security frameworks. This systems-thinking approach has proven particularly valuable in regulated industries like financial services and healthcare, where PAR helps organizations meet specific compliance requirements.

Our implementation experience spans diverse technical environments, allowing us to adapt PAR solutions to unique organizational contexts while preserving the core security benefits that make this protocol valuable in modern authorization architectures.

Conclusion

PAR's adoption in financial, healthcare, IoT ecosystems and other key domains underscores its value in high-stakes environments. At the same time, implementation requires adjustments. The trade-offs in risk reduction and auditability position PAR as a cornerstone of future-proof authorization architectures.