Looking for examples on how to do PAR (pushed authorization requests)

[FufferKS]

Checklist

• I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
• I have looked into the API documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Describe the problem you'd like to have solved

Hi, I'm trying out auth0 as a provider.
I've been able to follow the setup docs and properly authorise.
For my app, I might need to use PAR, I'm struggling to set it up and looking for examples.

Particularly, I'm running into UNKNOWN: Invalid callback on ios.

From what I understand from the docs, we might need to set up a backend proxy, but I'm also interested in any quidelines on the simplest possible POC even with an unsafe client side secret to start with.

Describe the ideal solution

---

Alternatives and current workarounds

No response

Additional context

No response

[pmathew92]

Hi @FufferKS ,
At the moment we don't support PAR flow on flutter SDK. In fact none of our mobile SDKs support it at the moment. We do have PRs to add them to our Android and iOS SDK open and under review.
auth0/Auth0.Android#888
auth0/Auth0.swift#1038

We will eventually add the support for the same in the flutter SDK. I can't share a definite ETA at the moment but will share an update as soon as we come up with timeline

[ethiril]

Hello @pmathew92 👋

I have some follow up questions, since I'm also looking at a similar issue.

What would be a proposed solution to accomplish a PAR flow with an ios/android app? Would one need a proxy server to act as a confidential client to Auth0 that would handle the authentication between app and backend?

I couldn't find much in the documentation, and not a single example of an e2e flow that would outline this, so if there are some – they would be hugely appreciated!

Thanks :)

[pmathew92]

Hi @ethiril ,
For accomplishing PAR on ios/android apps you would need to do a flow like

1. PAR Request
   Your backend should make a POST request to the /oauth/par endpoint of the Auth0 server with the body request containing

  client_secret=...
  response_type=code
  redirect_uri= redirect_url
  scope=openid profile email
  code_challenge=...
  code_challenge_method=S256
  state=...

This will give you a response like :

{
    "request_uri": "urn:ietf:params:oauth:...",
    "expires_in": 600
  }

2. Authorization Request
   You will use the mobile SDK to make the request to the /authorize?client_id=...&request_uri=... , which opens up your browser login flow. Note that here you are passing only your client id and the request_uri, you received from the previous step as paramter as opposed to passing all the other details in a normal login flow.
   You will receive an Authorization code back once you successfully login.

3. Token Exchange
   Now you make an API call to your backend passing this authorization code which in turn will make the request to the oauth/token endpoint to exchange this authorization code for an access token.

PAR request and token exchange needs to be handled by your backend server. Mobile SDK only handles the authorization part .
Hope this clarifies

[pmathew92]

Hi @ethiril @FufferKS I am moving this request to community discussion to get more feedback from the community on how to achieve this feature in a more developer friendly manner