In this episode of Identity. Unlocked, principal architect at Auth0 and podcast host, Vittorio Bertocci, invites guest Filip Skokan to have a conversation about a few three-letter extensions to OAuth (which, incidentally, would also fit well in a pirate incantation!): PAR, RAR, and JAR. Filip is a Senior Engineer II at Auth0, the author of a popular book on open source identification, and a contributor to both the IETF and the OpenID Foundation.
Before getting into the three extensions, Vittorio asks Filip to share his background in Identity. In 2013, Filip moved to Germany to work for a games publishing company; more specifically, he helped maintain the company’s single sign-on protocol. He was eventually assigned to a special project, and through the process of completing it, he became engrossed in what OpenID Connect had to offer and started working on his own OpenID authorization server. He stumbled onto OpenID Connect’s certification program, learned about defense specifications through his involvement with a team managing certification software, and - through the blur of a rapidly developing career - next recalls speaking at a conference in Chicago. His work on open source projects put him on the radar of Auth0, and he was recruited to join the company. Now, supported by Auth0 and based in the Czech Republic, he continues to contribute to various groups, such as the OpenID Foundation and OAuth, and to feed information on new developments back to Auth0.
Turning to the three acronyms Vittorio wants to discuss, Filip clarifies what they are and what problems they solve. All three of the acronyms deal with shortcomings in the core OAuth specifications. They are extensions developed to meet changing user needs as OAuth 2 has been applied in many different ways. RAR, or rich authorization request, is a framework that originated in the FAPI working group and that brings more expressive power to authorization requests. JAR, or JWT-secured authorization request, originally came from OpenID Connect and allowed requests to be integrity-protected by making them JWTs. PAR, or pushed authorization request, deals with the dilemma of excessively large URLs, turning authorization into a server-to-server call by introducing a pushed authorization endpoint to the authorization server. Vittorio and Filip explain each extension, and while all three extensions are still in the draft stage, Filip shares where each is in the process of standardization for common use.
[06:33] - What do the three acronyms describe, and what problems do they solve?
[07:52] - What is RAR and what is its contribution of expressive power to requests?
[10:53] - Vittorio asks about JAR, and Filip shares about its way of using JWTs in transmission.
[12:18] - PAR is next, and it deals with excessively large URLs using pushed authorization endpoints.
[15:03] - PAR has other side effects, as well.
[16:31] - Vittorio requests more detail on an outworking of PAR.
[18:55] - Vittorio asks where the three extensions are in the standardization process.
Identity, Unlocked is the podcast that discusses identity specs and trends from a developer perspective. Identity, Unlocked is powered by Auth0. Vittorio Bertocci is Principal Architect at Auth0 and applies his vast knowledge of the identity industry to Auth0 in all aspects of the company, including internal and external education, product innovation, and customer integration.
Auth0 provides a platform to authenticate, authorize, and secure access for applications, devices, and users. Security and application teams rely on Auth0s simplicity, extensibility, and expertise to make identity work for everyone. Safeguarding billions of login transactions each month, Auth0 secures identities so innovators can innovate, and empowers global enterprises to deliver trusted, superior digital experiences to their customers around the world.