|
| 1 | +<!-- Add the following to the MISC |
| 2 | +[!INCLUDE[](~/release-notes/aspnetcore-9/includes/par.md)] |
| 3 | +--> |
| 4 | +### OpenIdConnectHandler adds support for Pushed Authorization Requests (PAR) |
| 5 | + |
| 6 | +We'd like to thank [Joe DeCock](https://github.com/josephdecock) from [Duende Software](https://github.com/DuendeSoftware) for adding Pushed Authorization Requests (PAR) to ASP.NET Core's [OpenIdConnectHandler](/dotnet/api/microsoft.aspnetcore.authentication.openidconnect.openidconnecthandler). Joe described the background and motivation for enabling PAR in [his API proposal](https://github.com/dotnet/aspnetcore/issues/51686) as follows: |
| 7 | + |
| 8 | +> Pushed Authorization Requests (PAR) is a relatively new [OAuth standard](https://datatracker.ietf.org/doc/html/rfc9126) that improves the security of OAuth and OIDC flows by moving authorization parameters from the front channel to the back channel (that is, from redirect URLs in the browser to direct machine to machine http calls on the back end). |
| 9 | +> |
| 10 | +> This prevents an attacker in the browser from |
| 11 | +> |
| 12 | +> * seeing authorization parameters (which could leak PII) and from |
| 13 | +> * tampering with those parameters (e.g., the attacker could change the scope of access being requested). |
| 14 | +> |
| 15 | +> Pushing the authorization parameters also keeps request URLs short. Authorize parameters might get very long when using more complex OAuth and OIDC features such as [Rich Authorization Requests](https://oauth.net/2/rich-authorization-requests/), and URLs that are long cause issues in many browsers and networking infrastructure. |
| 16 | +> |
| 17 | +> The use of PAR is encouraged by the [FAPI working group](https://openid.net/wg/fapi/) within the OpenID Foundation. For example, [the FAPI2.0 Security Profile](https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html) requires the use of PAR. This security profile is used by many of the groups working on open banking (primarily in Europe), in health care, and in other industries with high security requirements. |
| 18 | +> |
| 19 | +> PAR is supported by a number of identity providers, including |
| 20 | +> |
| 21 | +> * [Duende IdentityServer](https://duendesoftware.com/products/identityserver) |
| 22 | +> * [Curity](https://curity.io/product/) |
| 23 | +> * [Keycloak](https://www.keycloak.org/) |
| 24 | +> * [Authlete](https://www.authlete.com/developers/tutorial/oidc/) |
| 25 | +
|
| 26 | +For preview7, we have decided to enable PAR by default if the identity provider's discovery document (usually found at `.well-known/openid-configuration`) advertises support for PAR, since it should provide enhanced security for providers that support it. If this causes problems, you can disable PAR via [OpenIdConnectOptions.PushedAuthorizationBehavior](https://source.dot.net/#Microsoft.AspNetCore.Authentication.OpenIdConnect/OpenIdConnectOptions.cs,99014cc0333b1603) as follows: |
| 27 | + |
| 28 | +:::code language="csharp" source="~/release-notes/aspnetcore-9/samples/PAR/Program.cs" id="snippet_1" highlight="8-99"::: |
| 29 | + |
| 30 | +If you want to ensure that authentication only succeeds if PAR is used, you can use [PushedAuthorizationBehavior.Require](https://source.dot.net/#Microsoft.AspNetCore.Authentication.OpenIdConnect/PushedAuthorizationBehavior.cs,3af73de8f33b70c5) instead. This change also introduces a new [OnPushAuthorization](https://source.dot.net/#Microsoft.AspNetCore.Authentication.OpenIdConnect/Events/OpenIdConnectEvents.cs,6a21c8f3a90753c1) event to [OpenIdConnectEvents](/dotnet/api/microsoft.aspnetcore.authentication.openidconnect.openidconnectevents) which can be used customize the pushed authorization request or handle it manually. Please refer to the [API proposal](https://github.com/dotnet/aspnetcore/issues/51686) for more details. |
0 commit comments