# PAR

Pushed authorization request (PAR) is a secure way to initiate the authorization flow. All parameters are sent in the body of the request (see OAuth 2.0 Pushed Authorization Requests RFC).

Endpoint: POST /oidc/request

## Request fields (application/x-www-form-urlencoded):

  - `client_id` (string, required)
    Client ID for which authentication is requested.

  - `client_secret` (string, required)
    Client secret.

  - `redirect_uri` (string, required)
    URI to redirect to upon completion of the authentication flow. This is the server GET endpoint used to call the token endpoint, and should accept code as a query parameter. This URI must also be configured as an allowed redirect URI in the Admin Portal

  - `response_type` (string, required)
    Response type requested for the authentication flow.
    Enum: "code"

  - `scope` (string)
    Scope of the requested access. Used to request specific user details like email. Must include openid and can include additional values (space delimited). offline_access scope allows refreshing access tokens.
    Enum: "openid", "email", "phone", "offline_access"

  - `prompt` (string)
    Space-delimited, case-sensitive list of string values that specifies whether the Authorization Server prompts the end-user for reauthentication and consent.
    Enum: "none", "login", "consent"

  - `nonce` (string)
    A random value that is included in the authentication request from the client (e.g. browser) to mitigate replay attacks. It will be added to the id_token and the backend service should only accept id_tokens that include the same nonce value as the one included in the original request.

  - `state` (string)
    An opaque string that is used to maintain state between the request and the callback. It will be added to the redirect URI as a query parameter, which should be validated by your server to protect against cross-site request forgery (CSRF) attacks

  - `resource` (string)
    Resource URI the authentication request is attempting to access, which is reflected in the audience (aud claim) of the access token. This must be configured as resource for the application.

  - `claims` (string)
    A stringified object used to request additional claims in the ID token, such as roles, permissions, and other user profile data.
The structure is per the [OIDC Standard](https://openid.net/specs/openid-connect-core-1_0-final.html#ClaimsParameter). For supported claims and how to request custom claims, see the [ID Token Reference](https://developer.transmitsecurity.com/openapi/id_token_reference/).
Note: You should stringify the value.

  - `acr_values` (string)
    Requested ACR values, specified as a space-separated string. The acr claim of the resulting ID token will indicate which requirements were satisfied.
    Enum: "mfa", "phone_number", "urn:transmit:google_direct", "urn:transmit:apple_direct", "urn:transmit:facebook_direct", "urn:transmit:line_direct", "urn:transmit:centralized"

  - `createNewUser` (boolean)
    Indicates if a new user should be created if one doesn't already exist (or associated with the app if the user isn't already). Public sign up must be enabled for this application.

  - `login_hint` (string)
    Hint for the user's login identifier for WebAuthn login.

  - `custom_message` (string)
    Custom message to present on the consent screens for WebAuthn login, which provides authentication context details.
    Example: "Welcome to Acme"

  - `ui_locales` (string)
    Preferred languages for the user interface for WebAuthn login, specified as a space-separated list of language tag values [RFC5646], ordered by preference.

  - `org_id` (string)
    Organization ID, used for member login in B2B scenarios

  - `code_challenge` (string)
    A hashed value of the 'code_verifier' required for PKCE

  - `code_challenge_method` (string)
    The hashing mechanism used to transform a code_verifier into the code_challenge in PKCE flows, must be 'S256'

## Response 200 fields (application/json):

  - `request_uri` (string, required)
    A single-use reference to the respective request data in the subsequent authorization request.

  - `expires_in` (integer, required)
    A positive integer value indicating the expiration time of the request_uri in seconds since the request was received

## Response 400 fields (application/json):

  - `message` (array, required)
    Example: "Bad request"

  - `error_code` (number, required)
    Example: 400

## Response 500 fields (application/json):

  - `message` (string, required)
    Example: "Something went wrong - Internal server error"

  - `error_code` (number, required)
    Example: 500