PARM - Pushed Authorization Response Mode
Placeholder issue. There used to be a proposal to define PARM - Pushed Authorization Response Mode (name not final). The idea was to enable AS/SIOP to send large responses by reference, just like the Client can pass requests with large sizes using PAR - Pushed Authorization Request via request_uri
.
AS/SIOP would send response_uri
to the Client in the response, Client can retrieve response object from the response_uri.
Additional benefit was security, since what started as a cross-device flow could end as a same-device flow - the user would start the flow by scanning a QR code on another device, but would end on a device used to present the Credential which would open response_uri
.
(cc @Jeremy)
Comments (5)
-
-
reporter interesting - the biggest difference being that here AS/OP has to pre-upload response to the endpoint controlled by the client, while in authorization code flow, AS/OP pre-generates a code/thing?
-
I think I may have misunderstood the proposed flow - my comment is only really relevant in the case where the AS was sending
response_uri
to the client which the client then retrieves from. -
There appears two be two possible response options here
- The AS/SIOP hosts the response and returns a response_uri that the client/RP has to resolve
- The AS/SIOP posts the response to the client via an endpoint supplied by it
While cross device flow is a core usecase for this functionality I dont think we should limit its scope only to this as more generally the ability to send a reference to the response really unlocks the ability to send larger responses. I also agree with Joseph that there is some overlapping intent that this mechanism proposes which is similar to the authorization_code flow
-
reporter - changed status to resolved
PR #474 merged
- Log in to comment
It sounds kind of similar to authorization code flow (
response_type=code
)? i.e. client gets a “thing” back and then calls the token endpoint to exchange the “thing” for an id token (and access token).