---
title: "Identity, Unlocked... Explained: Season 2, Ep. 2"
description: "PAR, RAR, and JAR with Filip Skokan"
authors:
  - name: "Vittorio Bertocci"
    url: "https://auth0.com/blog/authors/vittorio-bertocci/"
date: "Mar 12, 2021"
category: "Developers,Campaigns,Identity Unlocked"
tags: ["identity-unlocked", "podcast", "auth0"]
url: "https://auth0.com/blog/identity-unlocked-explained-season-2-ep-2/"
---

# Identity, Unlocked... Explained: Season 2, Ep. 2



## The Overview

In this episode of _Identity. Unlocked_, principal architect at [Auth0](https://auth0.com/) and podcast host, Vittorio Bertocci, invites guest Filip Skokan to have a conversation about a few three-letter extensions to OAuth (which, incidentally, would also fit well in a pirate incantation!): PAR, RAR, and JAR. Filip is a Senior Engineer II at Auth0, the author of a popular book on open source identification, and a contributor to both the [IETF](https://www.ietf.org/) and the [OpenID Foundation](https://openid.net/foundation/).

Before getting into the three extensions, Vittorio asks Filip to share his background in Identity. In 2013, Filip moved to Germany to work for a games publishing company; more specifically, he helped maintain the company’s single sign-on protocol. He was eventually assigned to a special project, and through the process of completing it, he became engrossed in what [OpenID Connect](https://openid.net/connect/) had to offer and started working on his own [OpenID](https://openid.net/) authorization server. He stumbled onto OpenID Connect’s [certification](https://openid.net/certification/) program, learned about defense specifications through his involvement with a team managing certification software, and - through the blur of a rapidly developing career - next recalls speaking at a conference in Chicago. His work on open source projects put him on the radar of Auth0, and he was recruited to join the company. Now, supported by Auth0 and based in the Czech Republic, he continues to contribute to various groups, such as the OpenID Foundation and OAuth, and to feed information on new developments back to Auth0. 

Turning to the three acronyms Vittorio wants to discuss, Filip clarifies what they are and what problems they solve. All three of the acronyms deal with shortcomings in the core OAuth specifications. They are extensions developed to meet changing user needs as [OAuth 2](https://oauth.net/2/) has been applied in many different ways. [RAR](https://oauth.net/2/rich-authorization-requests/), or rich authorization request, is a framework that originated in the [FAPI](https://openid.net/wg/fapi/) working group and that brings more expressive power to authorization requests. [JAR](https://connect2id.com/products/nimbus-oauth-openid-connect-sdk/examples/oauth/jar), or JWT-secured authorization request, originally came from OpenID Connect and allowed requests to be integrity-protected by making them JWTs. [PAR](https://oauth.net/2/pushed-authorization-requests/), or pushed authorization request, deals with the dilemma of excessively large URLs, turning authorization into a server-to-server call by introducing a pushed authorization endpoint to the authorization server. Vittorio and Filip explain each extension, and while all three extensions are still in the draft stage, Filip shares where each is in the process of standardization for common use.  

## Key Takeaways 

**[06:33]** - What do the three acronyms describe, and what problems do they solve?
<iframe width="100%" height="230px" scrolling="no" style="border: none" src="https://identityunlocked.auth0.com/player/0d0c0c78"></iframe>

**[07:52]** - What is RAR and what is its contribution of expressive power to requests?
<iframe width="100%" height="230px" scrolling="no" style="border: none" src="https://identityunlocked.auth0.com/player/21d8541a"></iframe>

**[10:53]** - Vittorio asks about JAR, and Filip shares about its way of using JWTs in transmission.
<iframe width="100%" height="230px" scrolling="no" style="border: none" src="https://identityunlocked.auth0.com/player/113a130f"></iframe>

**[12:18]** - PAR is next, and it deals with excessively large URLs using pushed authorization endpoints.
<iframe width="100%" height="230px" scrolling="no" style="border: none" src="https://identityunlocked.auth0.com/player/0fd2d9db"></iframe>

**[15:03]** - PAR has other side effects, as well.
<iframe width="100%" height="230px" scrolling="no" style="border: none" src="https://identityunlocked.auth0.com/player/a5c3d3ff"></iframe>

**[16:31]** - Vittorio requests more detail on an outworking of PAR.
<iframe width="100%" height="230px" scrolling="no" style="border: none" src="https://identityunlocked.auth0.com/player/1a19d87e"></iframe>

**[18:55]** - Vittorio asks where the three extensions are in the standardization process.
<iframe width="100%" height="230px" scrolling="no" style="border: none" src="https://identityunlocked.auth0.com/player/403f6e3e"></iframe>

### Links/Resources:

Learn more about [Filip Skokan](https://auth0.com/blog/authors/filip-skokan/) and connect with him on [Twitter](https://twitter.com/_panva?lang=en)<br />
Connect with Vittorio Bertocci on [Twitter](http://www.twitter.com/vibronet)<br />

Learn more about [Identity, Unlocked](https://identityunlocked.auth0.com/public/49/Identity%2C-Unlocked.--bed7fada/episodes)<br />
Learn more about [Auth0](https://auth0.com/)<br />
Learn more about the sponsor for this season, the [OpenID Foundation](https://openid.net/foundation/)<br />

<include src="asides/IdentityUnlocked" />

<include src="asides/AboutAuth0" />