Identity, Unlocked... Explained: Season 2, Ep. 2

The Overview

In this episode of Identity. Unlocked, principal architect at Auth0 and podcast host, Vittorio Bertocci, invites guest Filip Skokan to have a conversation about a few three-letter extensions to OAuth (which, incidentally, would also fit well in a pirate incantation!): PAR, RAR, and JAR. Filip is a Senior Engineer II at Auth0, the author of a popular book on open source identification, and a contributor to both the IETF and the OpenID Foundation.

Before getting into the three extensions, Vittorio asks Filip to share his background in Identity. In 2013, Filip moved to Germany to work for a games publishing company; more specifically, he helped maintain the company’s single sign-on protocol. He was eventually assigned to a special project, and through the process of completing it, he became engrossed in what OpenID Connect had to offer and started working on his own OpenID authorization server. He stumbled onto OpenID Connect’s certification program, learned about defense specifications through his involvement with a team managing certification software, and - through the blur of a rapidly developing career - next recalls speaking at a conference in Chicago. His work on open source projects put him on the radar of Auth0, and he was recruited to join the company. Now, supported by Auth0 and based in the Czech Republic, he continues to contribute to various groups, such as the OpenID Foundation and OAuth, and to feed information on new developments back to Auth0.

Turning to the three acronyms Vittorio wants to discuss, Filip clarifies what they are and what problems they solve. All three of the acronyms deal with shortcomings in the core OAuth specifications. They are extensions developed to meet changing user needs as OAuth 2 has been applied in many different ways. RAR, or rich authorization request, is a framework that originated in the FAPI working group and that brings more expressive power to authorization requests. JAR, or JWT-secured authorization request, originally came from OpenID Connect and allowed requests to be integrity-protected by making them JWTs. PAR, or pushed authorization request, deals with the dilemma of excessively large URLs, turning authorization into a server-to-server call by introducing a pushed authorization endpoint to the authorization server. Vittorio and Filip explain each extension, and while all three extensions are still in the draft stage, Filip shares where each is in the process of standardization for common use.

Key Takeaways

[06:33] - What do the three acronyms describe, and what problems do they solve?

[07:52] - What is RAR and what is its contribution of expressive power to requests?

[10:53] - Vittorio asks about JAR, and Filip shares about its way of using JWTs in transmission.

[12:18] - PAR is next, and it deals with excessively large URLs using pushed authorization endpoints.

[15:03] - PAR has other side effects, as well.

[16:31] - Vittorio requests more detail on an outworking of PAR.

[18:55] - Vittorio asks where the three extensions are in the standardization process.

Links/Resources:

Learn more about Filip Skokan and connect with him on Twitter
Connect with Vittorio Bertocci on Twitter

Learn more about Identity, Unlocked
Learn more about Auth0
Learn more about the sponsor for this season, the OpenID Foundation