feat(davinci-client): enforce PAR when server mandates it via well-known

If require_pushed_authorization_requests is true in the OIDC discovery
response, the server will reject any direct authorize request. This
change stores the PAR endpoint and mandate flag from the well-known
response in the config slice, then performs a PAR POST before the
authorize redirect whenever the server requires it.

Author: ryanbas21

packages/davinci-client/src/lib/config.slice.test.ts

@@ -68,4 +68,67 @@ describe('The config slice reducers', () => {
       },
     });
   });
+
+  it('should store par endpoint when wellknown includes pushed_authorization_request_endpoint', () => {
+    expect(
+      configSlice.reducer(undefined, {
+        type: 'config/set',
+        payload: {
+          clientId: '123',
+          serverConfig: {
+            wellknown: 'https://base.example.com/as/.well-known/openid-configuration',
+          },
+          wellknownResponse: {
+            authorization_endpoint: 'https://base.example.com/as/authorize',
+            pushed_authorization_request_endpoint: 'https://base.example.com/as/par',
+          },
+        },
+      }),
+    ).toMatchObject({
+      endpoints: {
+        authorize: 'https://base.example.com/as/authorize',
+        par: 'https://base.example.com/as/par',
+      },
+    });
+  });
+
+  it('should store requirePar=true when wellknown requires PAR', () => {
+    expect(
+      configSlice.reducer(undefined, {
+        type: 'config/set',
+        payload: {
+          clientId: '123',
+          serverConfig: {
+            wellknown: 'https://base.example.com/as/.well-known/openid-configuration',
+          },
+          wellknownResponse: {
+            authorization_endpoint: 'https://base.example.com/as/authorize',
+            pushed_authorization_request_endpoint: 'https://base.example.com/as/par',
+            require_pushed_authorization_requests: true,
+          },
+        },
+      }),
+    ).toMatchObject({
+      endpoints: {
+        par: 'https://base.example.com/as/par',
+        requirePar: true,
+      },
+    });
+  });
+
+  it('should not include par fields when wellknown omits them', () => {
+    const result = configSlice.reducer(undefined, {
+      type: 'config/set',
+      payload: {
+        clientId: '123',
+        serverConfig: { wellknown: 'https://base.example.com/as/.well-known/openid-configuration' },
+        wellknownResponse: {
+          authorization_endpoint: 'https://base.example.com/as/authorize',
+        },
+      },
+    });
+
+    expect(result.endpoints).not.toHaveProperty('par');
+    expect(result.endpoints).not.toHaveProperty('requirePar');
+  });
 });

packages/davinci-client/src/lib/config.slice.ts

@@ -60,6 +60,8 @@ export const configSlice = createSlice({
         introspection_endpoint: introspection,
         token_endpoint: tokens,
         userinfo_endpoint: userinfo,
+        pushed_authorization_request_endpoint: par,
+        require_pushed_authorization_requests: requirePar,
       } = action.payload.wellknownResponse;
 
       state.endpoints = {
@@ -68,6 +70,8 @@ export const configSlice = createSlice({
         introspection,
         tokens,
         userinfo,
+        ...(par && { par }),
+        ...(requirePar !== undefined && { requirePar }),
       };
     },
   },

packages/davinci-client/src/lib/davinci.api.ts

@@ -24,6 +24,7 @@ import { initQuery } from '@forgerock/sdk-request-middleware';
 import { createAuthorizeUrl } from '@forgerock/sdk-oidc';
 
 import { handleResponse, transformActionRequest, transformSubmitRequest } from './davinci.utils.js';
+import { shouldUsePar, buildParBody, buildParAuthorizeUrl } from './par.utils.js';
 
 import type { logger as loggerFn } from '@forgerock/sdk-logger';
 import type { ActionTypes, RequestMiddleware } from '@forgerock/sdk-request-middleware';
@@ -270,23 +271,73 @@ export const davinciApi = createApi({
             responseMode: 'pi.flow',
             scope: state?.config?.scope,
           });
-          const url = new URL(authorizeUrl);
-          const existingParams = url.searchParams;
+
+          let finalUrl: URL;
+
+          if (shouldUsePar(state.config.endpoints)) {
+            const parEndpoint = state.config.endpoints.par;
+            if (!parEndpoint) {
+              return {
+                error: {
+                  status: 400,
+                  data: 'Server requires PAR but pushed_authorization_request_endpoint is missing from well-known response',
+                },
+              };
+            }
+
+            const authParams = new URL(authorizeUrl).searchParams;
+            const parBody = buildParBody(Object.fromEntries(authParams.entries()));
+
+            const parRequest: FetchArgs = {
+              url: parEndpoint,
+              credentials: 'include',
+              method: 'POST',
+              headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+              body: parBody.toString(),
+            };
+
+            logger.debug('Davinci PAR request', parRequest);
+            const parResult = await initQuery(parRequest, 'start')
+              .applyMiddleware(requestMiddleware)
+              .applyQuery(async (req: FetchArgs) => await baseQuery(req));
+
+            if (parResult.error) {
+              return parResult;
+            }
+
+            const parResponse = parResult.data as { request_uri?: string };
+            if (!parResponse?.request_uri) {
+              return {
+                error: {
+                  status: 400,
+                  data: 'PAR response missing request_uri',
+                },
+              };
+            }
+
+            finalUrl = new URL(
+              buildParAuthorizeUrl(
+                authorizeEndpoint,
+                state.config.clientId,
+                parResponse.request_uri,
+              ),
+            );
+          } else {
+            finalUrl = new URL(authorizeUrl);
+          }
 
           if (options?.query) {
             Object.entries(options.query).forEach(([key, value]) => {
               /**
                * We use set here because if we have existing params, we want
                * to make sure we override them and not add duplicates
                */
-              existingParams.set(key, String(value));
+              finalUrl.searchParams.set(key, String(value));
             });
-
-            url.search = existingParams.toString();
           }
 
           const request: FetchArgs = {
-            url: url.toString(),
+            url: finalUrl.toString(),
             credentials: 'include',
             method: 'GET',
             headers: {

packages/davinci-client/src/lib/par.utils.test.ts

@@ -0,0 +1,89 @@
+/*
+ * Copyright (c) 2025 Ping Identity Corporation. All rights reserved.
+ *
+ * This software may be modified and distributed under the terms
+ * of the MIT license. See the LICENSE file for details.
+ */
+import { describe, it, expect } from 'vitest';
+import { shouldUsePar, buildParBody, buildParAuthorizeUrl } from './par.utils.js';
+import type { Endpoints } from './wellknown.types.js';
+
+const baseEndpoints: Endpoints = {
+  authorize: 'https://example.com/as/authorize',
+  issuer: 'https://example.com/as',
+  introspection: 'https://example.com/as/introspect',
+  tokens: 'https://example.com/as/token',
+  userinfo: 'https://example.com/as/userinfo',
+};
+
+describe('shouldUsePar', () => {
+  it('returns false when no PAR endpoint exists', () => {
+    expect(shouldUsePar(baseEndpoints)).toBe(false);
+  });
+
+  it('returns false when PAR endpoint exists but requirePar is false', () => {
+    expect(
+      shouldUsePar({ ...baseEndpoints, par: 'https://example.com/as/par', requirePar: false }),
+    ).toBe(false);
+  });
+
+  it('returns true when requirePar is true, even if par endpoint is absent', () => {
+    expect(shouldUsePar({ ...baseEndpoints, requirePar: true })).toBe(true);
+  });
+
+  it('returns true when requirePar is true and par endpoint is present', () => {
+    expect(
+      shouldUsePar({ ...baseEndpoints, par: 'https://example.com/as/par', requirePar: true }),
+    ).toBe(true);
+  });
+});
+
+describe('buildParBody', () => {
+  it('encodes all provided params as form-urlencoded', () => {
+    const body = buildParBody({
+      client_id: 'myClient',
+      redirect_uri: 'https://app.example.com/callback',
+      response_type: 'code',
+      scope: 'openid profile',
+      code_challenge: 'abc123',
+      code_challenge_method: 'S256',
+      state: 'xyz',
+    });
+
+    expect(body.get('client_id')).toBe('myClient');
+    expect(body.get('redirect_uri')).toBe('https://app.example.com/callback');
+    expect(body.get('response_type')).toBe('code');
+    expect(body.get('scope')).toBe('openid profile');
+    expect(body.get('code_challenge')).toBe('abc123');
+    expect(body.get('code_challenge_method')).toBe('S256');
+    expect(body.get('state')).toBe('xyz');
+  });
+
+  it('omits empty string values', () => {
+    const body = buildParBody({
+      client_id: 'myClient',
+      response_type: 'code',
+      prompt: '',
+      response_mode: '',
+    });
+
+    expect(body.has('prompt')).toBe(false);
+    expect(body.has('response_mode')).toBe(false);
+  });
+});
+
+describe('buildParAuthorizeUrl', () => {
+  it('builds a minimal authorize URL with client_id and request_uri only', () => {
+    const url = buildParAuthorizeUrl(
+      'https://example.com/as/authorize',
+      'myClient',
+      'urn:ietf:params:oauth:request_uri:abc123',
+    );
+
+    const parsed = new URL(url);
+    expect(parsed.origin + parsed.pathname).toBe('https://example.com/as/authorize');
+    expect(parsed.searchParams.get('client_id')).toBe('myClient');
+    expect(parsed.searchParams.get('request_uri')).toBe('urn:ietf:params:oauth:request_uri:abc123');
+    expect(parsed.searchParams.size).toBe(2);
+  });
+});

packages/davinci-client/src/lib/par.utils.ts

@@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 2025 Ping Identity Corporation. All rights reserved.
+ *
+ * This software may be modified and distributed under the terms
+ * of the MIT license. See the LICENSE file for details.
+ */
+import type { Endpoints } from './wellknown.types.js';
+
+/**
+ * Returns true if the server mandates PAR via require_pushed_authorization_requests.
+ * A client-side usePar flag cannot override a server mandate (RFC 9126).
+ */
+export function shouldUsePar(endpoints: Endpoints): boolean {
+  return endpoints.requirePar === true;
+}
+
+/**
+ * Builds the form-urlencoded body for a PAR request (RFC 9126 §2.1).
+ * Empty string values are omitted — they carry no meaning on the wire.
+ */
+export function buildParBody(params: Record<string, string>): URLSearchParams {
+  const body = new URLSearchParams();
+  for (const [key, value] of Object.entries(params)) {
+    if (value !== '') {
+      body.set(key, value);
+    }
+  }
+  return body;
+}
+
+/**
+ * Builds the authorization URL after a successful PAR response.
+ * Per RFC 9126 §4, only client_id and request_uri are sent — all other
+ * authorization parameters were already submitted in the PAR request.
+ */
+export function buildParAuthorizeUrl(
+  authorizeEndpoint: string,
+  clientId: string,
+  requestUri: string,
+): string {
+  const url = new URL(authorizeEndpoint);
+  url.searchParams.set('client_id', clientId);
+  url.searchParams.set('request_uri', requestUri);
+  return url.toString();
+}

packages/davinci-client/src/lib/wellknown.types.ts

@@ -18,4 +18,8 @@ export interface Endpoints {
   introspection: string;
   tokens: string;
   userinfo: string;
+  /** PAR endpoint — present when server advertises pushed_authorization_request_endpoint */
+  par?: string;
+  /** Whether the server mandates PAR regardless of client config */
+  requirePar?: boolean;
 }