Pushed Authorization Request (PAR) Support in ASP.NET Core

We think that PAR is one of the easiest ways to increase the security of OAuth and OpenID Connect. That’s why we prioritized the implementation of the RFC and released fully featured support in IdentityServer v7.

Unfortunately, it wasn’t as straightforward as it could be to add client-side PAR support to an existing ASP.NET Core application using the Microsoft OpenID Connect authentication handler.

While the OIDC handler is general very well factored and provides extensibility points to accommodate a wide range of protocol extensions that haven’t even existed when the handler was written, for this particular scenario, it was lacking the right granularity. We have a sample here that adds PAR support, but unfortunately some of the OIDC handler internals had to be replicated.

We are happy to announce that starting with .NET 9, the ASP.NET Core OIDC handler will have built-in PAR support. Even further, the current previews of .NET 9 have PAR enabled by default. This means every application gets the new security feature by default if the OIDC provider supports it. That’s huge.

This feature was contributed by our IdentityServer lead Joe DeCock. See here and here for his blog posts diving into the technical details.

Thanks Joe for making ASP.NET more secure!