Learn what Pushed Authorization Requests are and when to use them to strengthen the security of your OAuth 2.0 and OpenID Connect-based applications.
Read more…
Brought to you by @andrea.chiarelli
Enjoyed the post? Share your comments and feedback with us in this thread.
Hi Robertino,
I have a question if you can guide me for the solution:
I have three applications:
- Our own SSO that supports Authorization Code + PKCE
- A Client UI App
- A Client API App
The Client UI App authenticates through our SSO and interacts with the Client API App’s endpoints.
Now, if I want to implement Pushed Authorization Requests (PAR), where should I place the initial request to obtain the request_uri within this Client UI and API structure?
Since the PAR request to obtain the request_uri must be a back-channel request, where should it be initiated?
Hi @akshayaote7,
Welcome to the Auth0 Community! 
I need some clarification on your application architecture in order to give you an answer.
In particular,
- Our own SSO that supports Authorization Code + PKCE
I assume this is an OIDC/OAuth authorization server supporting PAR. Is it correct?
- A Client UI App
Not sure what type of application this is. When you say Client, do you mean an OAuth/OIDC client (i.e., a client with respect of 1.)? Is this application a confidential client (server-rendered web app) or a public client (SPA, mobile or desktop app)?
- A Client API App
Is this a client of an API? Where is the API in this scenario?
You mention that the Client UI app “interacts with the Client API App’s endpoints”, so I assume this is the API, not the Client API, right?
Sorry, but I need to have a clear understanding of your scenario to give you an appropriate answer. In particular, I need to understand the nature of the Client UI App, which I imagine is where the authentication flow starts.