PARM - Pushed Authorization Response Mode

Issue #1611 resolved
Kristina Yasuda created an issue

Placeholder issue. There used to be a proposal to define PARM - Pushed Authorization Response Mode (name not final). The idea was to enable AS/SIOP to send large responses by reference, just like the Client can pass requests with large sizes using PAR - Pushed Authorization Request via request_uri.

AS/SIOP would send response_uri to the Client in the response, Client can retrieve response object from the response_uri.

Additional benefit was security, since what started as a cross-device flow could end as a same-device flow - the user would start the flow by scanning a QR code on another device, but would end on a device used to present the Credential which would open response_uri.

(cc @Jeremy)

Comments (5)

  1. Joseph Heenan

    It sounds kind of similar to authorization code flow (response_type=code)? i.e. client gets a “thing” back and then calls the token endpoint to exchange the “thing” for an id token (and access token).

  2. Kristina Yasuda reporter

    interesting - the biggest difference being that here AS/OP has to pre-upload response to the endpoint controlled by the client, while in authorization code flow, AS/OP pre-generates a code/thing?

  3. Joseph Heenan

    I think I may have misunderstood the proposed flow - my comment is only really relevant in the case where the AS was sending response_uri to the client which the client then retrieves from.

  4. Tobias Looker

    There appears two be two possible response options here

    1. The AS/SIOP hosts the response and returns a response_uri that the client/RP has to resolve
    2. The AS/SIOP posts the response to the client via an endpoint supplied by it

    While cross device flow is a core usecase for this functionality I dont think we should limit its scope only to this as more generally the ability to send a reference to the response really unlocks the ability to send larger responses. I also agree with Joseph that there is some overlapping intent that this mechanism proposes which is similar to the authorization_code flow

  5. Log in to comment