feat: OAuth 2.0 Pushed Authorization Requests (PAR) is now a stable f…

…eature
panva · Sep 15, 2021 · 3c54d8d · 3c54d8d
1 parent 221e249
commit 3c54d8d
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 25 deletions.
diff --git a/README.md b/README.md
@@ -31,6 +31,7 @@ _Note that not all features are enabled by default, check the configuration sect
 - [RFC8705 - OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens (MTLS)][mtls]
 - [RFC8707 - OAuth 2.0 Resource Indicators][resource-indicators]
 - [RFC9101 - OAuth 2.0 JWT-Secured Authorization Request (JAR)][jar]
+- [RFC9126 - OAuth 2.0 Pushed Authorization Requests (PAR) - draft 08][par]
 - [Financial-grade API Security Profile 1.0 - Part 2: Advanced (FAPI)][fapi]
 - [OpenID Connect Client Initiated Backchannel Authentication Flow - Core 1.0 (CIBA)][ciba]
 
@@ -47,7 +48,6 @@ The following draft specifications are implemented by oidc-provider:
 - [Financial-grade API: Client Initiated Backchannel Authentication Profile (FAPI-CIBA) - Implementer's Draft 01][fapi-ciba]
 - [OAuth 2.0 Authorization Server Issuer Identifier in Authorization Response - draft 01][iss-auth-resp]
 - [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP) - draft 03][dpop]
-- [OAuth 2.0 Pushed Authorization Requests (PAR) - draft 08][par]
 - [OpenID Connect Back-Channel Logout 1.0 - draft 06][backchannel-logout]
 - [OpenID Connect RP-Initiated Logout 1.0 - draft 01][rpinitiated-logout]
 
@@ -145,7 +145,7 @@ actions and i.e. emit metrics that react to specific triggers. See the list of a
 [jwt-at]: https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-11
 [paseto-at]: https://paseto.io
 [support-sponsor]: https://github.com/sponsors/panva
-[par]: https://tools.ietf.org/html/draft-ietf-oauth-par-08
+[par]: https://www.rfc-editor.org/rfc/rfc9126.html
 [rpinitiated-logout]: https://openid.net/specs/openid-connect-rpinitiated-1_0-01.html
 [iss-auth-resp]: https://tools.ietf.org/html/draft-ietf-oauth-iss-auth-resp-01
 [fapi]: https://openid.net/specs/openid-financial-api-part-2-1_0.html

diff --git a/docs/README.md b/docs/README.md
@@ -1351,18 +1351,14 @@ false
 
 ### features.pushedAuthorizationRequests
 
-[draft-ietf-oauth-par-08](https://tools.ietf.org/html/draft-ietf-oauth-par-08) - OAuth 2.0 Pushed Authorization Requests (PAR)  
+[RFC9126](https://www.rfc-editor.org/rfc/rfc9126.html) - OAuth 2.0 Pushed Authorization Requests (PAR)  
 
-Enables the use of `pushed_authorization_request_endpoint` defined by the Pushed Authorization Requests draft.   
-
-
-_**recommendation**_: Updates to draft specification versions are released as MINOR library versions, if you utilize these specification implementations consider using the tilde `~` operator in your package.json since breaking changes may be introduced as part of these version updates. Alternatively, [acknowledge](#features) the version and be notified of breaking changes as part of your CI.  
+Enables the use of `pushed_authorization_request_endpoint` defined by the Pushed Authorization Requests RFC.  
 
 
 _**default value**_:
 ```js
 {
-  ack: undefined,
   enabled: false,
   requirePushedAuthorizationRequests: false
 }

diff --git a/lib/helpers/defaults.js b/lib/helpers/defaults.js
@@ -1368,22 +1368,14 @@ function getDefaults() {
       /*
        * features.pushedAuthorizationRequests
        *
-       * title: [draft-ietf-oauth-par-08](https://tools.ietf.org/html/draft-ietf-oauth-par-08) - OAuth 2.0 Pushed Authorization Requests (PAR)
+       * title: [RFC9126](https://www.rfc-editor.org/rfc/rfc9126.html) - OAuth 2.0 Pushed Authorization Requests (PAR)
        *
        * description: Enables the use of `pushed_authorization_request_endpoint` defined by the Pushed
-       * Authorization Requests draft.
-       *
-       * recommendation: Updates to draft specification versions are released as MINOR library versions,
-       * if you utilize these specification implementations consider using the tilde `~` operator
-       * in your package.json since breaking changes may be introduced as part of these version
-       * updates. Alternatively, [acknowledge](#features) the version and be notified of breaking
-       * changes as part of your CI.
+       * Authorization Requests RFC.
        */
       pushedAuthorizationRequests: {
         enabled: false,
 
-        ack: undefined,
-
         /*
          * features.pushedAuthorizationRequests.requirePushedAuthorizationRequests
          *

diff --git a/lib/helpers/features.js b/lib/helpers/features.js
@@ -5,10 +5,11 @@ const STABLE = new Set([
   'deviceFlow',
   'devInteractions',
   'encryption',
+  'fapi',
   'introspection',
   'jwtUserinfo',
   'mTLS',
-  'fapi',
+  'pushedAuthorizationRequests',
   'registration',
   'registrationManagement',
   'requestObjects',
@@ -43,12 +44,6 @@ const DRAFTS = new Map(Object.entries({
     url: 'https://openid.net/specs/openid-financial-api-jarm-ID1.html',
     version: [1, 2, 'draft-02', 'implementers-draft-01'],
   },
-  pushedAuthorizationRequests: {
-    name: 'OAuth 2.0 Pushed Authorization Requests - draft 08',
-    type: 'IETF OAuth Working Group draft',
-    url: 'https://tools.ietf.org/html/draft-ietf-oauth-par-08',
-    version: [0, 'individual-draft-01', 'draft-00', 'draft-01', 'draft-02', 'draft-03', 'draft-04', 'draft-05', 'draft-06', 'draft-07', 'draft-08'],
-  },
   webMessageResponseMode: {
     name: 'OAuth 2.0 Web Message Response Mode - draft 00',
     type: 'Individual draft',