Merge pull request #631 from ForgeRock/par

feat(oidc-client): add-par-support

Author: ryanbas21

.changeset/some-shirts-joke.md

@@ -0,0 +1,9 @@
+---
+'@forgerock/sdk-request-middleware': minor
+'@forgerock/sdk-oidc': minor
+'@forgerock/davinci-client': minor
+'@forgerock/oidc-client': minor
+'am-mock-api': patch
+---
+
+Add support for PAR in oidc-client requests for redirect flows

e2e/am-mock-api/src/app/constants.js

@@ -9,6 +9,7 @@
  */
 
 export const authPaths = {
+  par: ['/am/oauth2/realms/root/par'],
   tokenExchange: [
     '/am/auth/tokenExchange',
     '/am/oauth2/realms/root/access_token',

e2e/am-mock-api/src/app/responses.js

@@ -1348,6 +1348,11 @@ export const recaptchaEnterpriseCallback = {
   ],
 };
 
+export const parResponse = {
+  request_uri: 'urn:ietf:params:oauth:request_uri:mock-par-request-uri',
+  expires_in: 60,
+};
+
 export const qrCodeCallbacksResponse = {
   authId: 'qrcode-journey-confirmation',
   callbacks: [

e2e/am-mock-api/src/app/routes.auth.js

@@ -49,6 +49,7 @@ import {
   MetadataMarketPlacePingOneEvaluation,
   newPiWellKnown,
   qrCodeCallbacksResponse,
+  parResponse,
 } from './responses.js';
 import initialRegResponse from './response.registration.js';
 import {
@@ -664,6 +665,16 @@ export default function (app) {
 
   app.get('/callback', (req, res) => res.status(200).send('ok'));
 
+  app.post(authPaths.par, (req, res) => {
+    if (req.query.scenario === 'error') {
+      return res.status(400).json({
+        error: 'invalid_request',
+        error_description: 'Missing required PAR parameter',
+      });
+    }
+    res.status(201).json(parResponse);
+  });
+
   app.get('/am/.well-known/oidc-configuration', (req, res) => {
     res.send(wellKnownForgeRock);
   });

e2e/oidc-app/src/index.html

@@ -12,6 +12,7 @@ <h2>OIDC Client E2E Test Index | Ping Identity JavaScript SDK</h2>
       <div id="nav">
         <a href="/ping-am/">Ping AM</a>
         <a href="/ping-one/">Ping One</a>
+        <a href="/par/">PAR (Pushed Authorization Request)</a>
       </div>
     </div>
     <script type="module" src="index.ts"></script>

e2e/oidc-app/src/par/index.html

@@ -0,0 +1,63 @@
+<!doctype html>
+<html>
+  <head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <title>E2E Test | Ping Identity JavaScript SDK</title>
+
+    <style>
+      #logout {
+        display: none;
+      }
+      #user-info-btn {
+        display: none;
+      }
+      fieldset {
+        display: inline-flex;
+        flex-direction: column;
+        gap: 0.4rem;
+        margin-bottom: 1rem;
+      }
+    </style>
+  </head>
+  <body>
+    <div id="app">
+      <a href="/">Home</a>
+      <h1>OIDC App | PAR Login (Pushed Authorization Request)</h1>
+      <p>
+        Client: <code>ParClient</code> &mdash; PAR enabled. Authorize params are sent via
+        back-channel POST to <code>/par</code> first, then a slim URL (<code
+          >client_id + request_uri</code
+        >
+        only) is used for the authorize redirect.
+      </p>
+
+      <h2>Step 1: Establish AM Session (Journey: Login)</h2>
+      <p>
+        Background PAR auth requires an existing AM session. Log in via the Login journey first.
+      </p>
+      <form id="journey-form">
+        <fieldset>
+          <label for="username">User Name</label>
+          <input id="username" type="text" autocomplete="username" />
+          <label for="password">Password</label>
+          <input id="password" type="password" autocomplete="current-password" />
+          <button type="submit">Login (Journey)</button>
+        </fieldset>
+      </form>
+      <p id="journey-status"></p>
+
+      <h2>Step 2: PAR OAuth</h2>
+      <button id="login-background" disabled>Login (Background &mdash; PAR + iframe)</button>
+      <button id="login-redirect">Login (Redirect &mdash; PAR slim URL)</button>
+      <button id="get-tokens">Get Tokens (Local)</button>
+      <button id="get-tokens-background">Get Tokens (Background)</button>
+      <button id="renew-tokens">Renew Tokens</button>
+      <button id="logout">Logout</button>
+      <button id="user-info-btn">User Info</button>
+      <button id="revoke">Revoke Token</button>
+      <a href="/par/">Start Over</a>
+    </div>
+    <script type="module" src="./main.ts"></script>
+  </body>
+</html>

e2e/oidc-app/src/par/main.ts

@@ -0,0 +1,82 @@
+/*
+ *
+ * Copyright © 2025 Ping Identity Corporation. All right reserved.
+ *
+ * This software may be modified and distributed under the terms
+ * of the MIT license. See the LICENSE file for details.
+ *
+ */
+import { oidcApp } from '../utils/oidc-app.js';
+
+const AM_BASE = 'https://openam-sdks.forgeblocks.com/am';
+const REALM = 'alpha';
+
+const urlParams = new URLSearchParams(window.location.search);
+const wellknown = urlParams.get('wellknown');
+
+const config = {
+  clientId: 'ParClient',
+  redirectUri: 'http://localhost:8443/par/',
+  scope: 'openid profile email',
+  par: true,
+  serverConfig: {
+    wellknown:
+      wellknown ||
+      'https://openam-sdks.forgeblocks.com/am/oauth2/alpha/.well-known/openid-configuration',
+  },
+};
+
+// Run journey Login to establish an AM session before background PAR auth
+async function runLoginJourney(username: string, password: string): Promise<void> {
+  const authenticateUrl = `${AM_BASE}/json/realms/root/realms/${REALM}/authenticate?authIndexType=service&authIndexValue=Login`;
+
+  // Step 1: start the journey
+  const initRes = await fetch(authenticateUrl, {
+    method: 'POST',
+    credentials: 'include',
+    headers: { 'Content-Type': 'application/json', 'Accept-API-Version': 'resource=2.1' },
+    body: '{}',
+  });
+  const initJson = await initRes.json();
+
+  if (initJson.successUrl) return; // already authenticated
+
+  // Fill NameCallback + PasswordCallback
+  for (const cb of initJson.callbacks ?? []) {
+    if (cb.type === 'NameCallback') cb.input[0].value = username;
+    if (cb.type === 'PasswordCallback') cb.input[0].value = password;
+  }
+
+  // Step 2: submit credentials
+  const submitRes = await fetch(authenticateUrl, {
+    method: 'POST',
+    credentials: 'include',
+    headers: { 'Content-Type': 'application/json', 'Accept-API-Version': 'resource=2.1' },
+    body: JSON.stringify(initJson),
+  });
+  const submitJson = await submitRes.json();
+
+  if (!submitJson.tokenId && !submitJson.successUrl) {
+    throw new Error(submitJson.message || 'Login failed');
+  }
+}
+
+const journeyForm = document.getElementById('journey-form') as HTMLFormElement;
+const journeyStatus = document.getElementById('journey-status') as HTMLParagraphElement;
+const backgroundBtn = document.getElementById('login-background') as HTMLButtonElement;
+
+journeyForm.addEventListener('submit', async (e) => {
+  e.preventDefault();
+  const username = (document.getElementById('username') as HTMLInputElement).value;
+  const password = (document.getElementById('password') as HTMLInputElement).value;
+  journeyStatus.textContent = 'Logging in…';
+  try {
+    await runLoginJourney(username, password);
+    journeyStatus.textContent = '✓ Session established — background login now available.';
+    backgroundBtn.disabled = false;
+  } catch (err) {
+    journeyStatus.textContent = `✗ ${err instanceof Error ? err.message : 'Login failed'}`;
+  }
+});
+
+oidcApp({ config, urlParams });

e2e/oidc-app/src/utils/oidc-app.ts

@@ -49,8 +49,11 @@ export async function oidcApp({ config, urlParams }) {
   const code = urlParams.get('code');
   const state = urlParams.get('state');
   const piflow = urlParams.get('piflow');
+  const par = urlParams.get('par') === 'true';
 
-  const oidcClient: OidcClient = await oidc({ config });
+  const oidcClient: OidcClient = await oidc({
+    config: { ...config, ...(par && { par: true }) },
+  });
   if ('error' in oidcClient) {
     displayError(oidcClient);
   }

e2e/oidc-app/vite.config.ts

@@ -4,7 +4,7 @@ import { dirname, resolve } from 'path';
 import { fileURLToPath } from 'url';
 
 const __dirname = dirname(fileURLToPath(import.meta.url));
-const pages = ['ping-am', 'ping-one'];
+const pages = ['ping-am', 'ping-one', 'par'];
 export default defineConfig(() => ({
   root: __dirname + '/src',
   cacheDir: '../../node_modules/.vite/e2e/oidc-app',

e2e/oidc-suites/src/login.spec.ts

@@ -152,7 +152,7 @@ test('oidc client fails to initialize with bad wellknown', async ({ page }) => {
   await page.getByRole('button', { name: 'Login (Background)' }).click();
 
   await expect(page.locator('.error')).toContainText(
-    'Authorization endpoint not found in wellknown configuration',
+    'Failed to fetch well-known configuration from:',
   );
   await expect(page.locator('.error')).toContainText('wellknown_error');
 });