/par

Submit a pushed authorization request before redirecting the browser to /authorize.

Endpoint

• Method: POST
• URL: https://sso.user.m7.org/par
• Content type: application/x-www-form-urlencoded
• Response: JSON

When to use it

Use PAR when you do not want to place the full authorization request in the browser URL.

Typical flow:

1. POST the authorization request to /par
2. Receive request_uri
3. Redirect the browser to /authorize?client_id=...&request_uri=...

Client authentication

Authenticate the OAuth client the same way you would for the token endpoint.

Currently advertised token endpoint auth methods:

• none
• client_secret_basic
• client_secret_post
• client_secret_jwt
• private_key_jwt

Request fields

Send the same authorization parameters you would normally send to /authorize, such as:

• client_id
• redirect_uri
• response_type=code
• scope
• state
• code_challenge
• code_challenge_method
• nonce
• login_hint
• prompt
• max_age

Example

curl -sS https://sso.user.m7.org/par \
  -u 'CLIENT_ID:CLIENT_SECRET' \
  -d client_id='CLIENT_ID' \
  -d redirect_uri='https://app.example.com/callback' \
  -d response_type='code' \
  -d scope='openid profile offline_access' \
  -d state='STATE123' \
  -d code_challenge='PKCE_CHALLENGE' \
  -d code_challenge_method='S256' \
  -d nonce='NONCE123'

Success response

{
  "request_uri": "REQUEST_URI",
  "expires_in": 600
}

Next step

Redirect the browser to:

https://sso.user.m7.org/authorize?client_id=CLIENT_ID&request_uri=REQUEST_URI

Notes

• request_uri is short-lived and should be used promptly.
• The current PAR implementation mirrors the normal /authorize request semantics rather than exposing a different public policy model.
• In practice, current hosted flows expect a state value.