ForgeRock · ryanbas21 · May 11, 2026 · May 12, 2026 · May 12, 2026 · May 12, 2026
diff --git a/.changeset/some-shirts-joke.md b/.changeset/some-shirts-joke.md
@@ -0,0 +1,9 @@
+---
+'@forgerock/sdk-request-middleware': minor
+'@forgerock/sdk-oidc': minor
+'@forgerock/davinci-client': minor
+'@forgerock/oidc-client': minor
+'am-mock-api': patch
+---
+
+Add support for PAR in oidc-client requests for redirect flows
diff --git a/e2e/am-mock-api/src/app/constants.js b/e2e/am-mock-api/src/app/constants.js
@@ -9,6 +9,7 @@
  */
 
 export const authPaths = {
+  par: ['/am/oauth2/realms/root/par'],
   tokenExchange: [
     '/am/auth/tokenExchange',
     '/am/oauth2/realms/root/access_token',

diff --git a/e2e/am-mock-api/src/app/responses.js b/e2e/am-mock-api/src/app/responses.js
@@ -1348,6 +1348,11 @@ export const recaptchaEnterpriseCallback = {
   ],
 };
 
+export const parResponse = {
+  request_uri: 'urn:ietf:params:oauth:request_uri:mock-par-request-uri',
+  expires_in: 60,
+};
+
 export const qrCodeCallbacksResponse = {
   authId: 'qrcode-journey-confirmation',
   callbacks: [

diff --git a/e2e/am-mock-api/src/app/routes.auth.js b/e2e/am-mock-api/src/app/routes.auth.js
@@ -49,6 +49,7 @@ import {
   MetadataMarketPlacePingOneEvaluation,
   newPiWellKnown,
   qrCodeCallbacksResponse,
+  parResponse,
 } from './responses.js';
 import initialRegResponse from './response.registration.js';
 import {
@@ -664,6 +665,10 @@ export default function (app) {
 
   app.get('/callback', (req, res) => res.status(200).send('ok'));
 
+  app.post(authPaths.par, (req, res) => {
+    res.status(201).json(parResponse);
+  });
+
   app.get('/am/.well-known/oidc-configuration', (req, res) => {
     res.send(wellKnownForgeRock);
   });

diff --git a/e2e/oidc-app/src/index.html b/e2e/oidc-app/src/index.html
@@ -12,6 +12,7 @@ <h2>OIDC Client E2E Test Index | Ping Identity JavaScript SDK</h2>
       <div id="nav">
         <a href="/ping-am/">Ping AM</a>
         <a href="/ping-one/">Ping One</a>
+        <a href="/par/">PAR (Pushed Authorization Request)</a>
       </div>
     </div>
     <script type="module" src="index.ts"></script>

diff --git a/e2e/oidc-app/src/par/index.html b/e2e/oidc-app/src/par/index.html
@@ -0,0 +1,33 @@
+<!doctype html>
+<html>
+  <head>
+    <title>E2E Test | Ping Identity JavaScript SDK</title>
+
+    <style>
+      #logout {
+        display: none;
+      }
+    </style>
+  </head>
+  <body>
+    <div id="app">
+      <a href="/">Home</a>
+      <h1>OIDC App | PAR Login (Pushed Authorization Request)</h1>
+      <p>
+        Client: <code>ParClient</code> &mdash; PAR enabled. Authorize params POST back-channel to
+        <code>/par</code> first; the authorize redirect uses only
+        <code>client_id + request_uri</code>.
+      </p>
+      <button id="login-background">Login (Background &mdash; PAR + iframe)</button>
+      <button id="login-redirect">Login (Redirect &mdash; PAR slim URL)</button>
+      <button id="get-tokens">Get Tokens (Local)</button>
+      <button id="get-tokens-background">Get Tokens (Background)</button>
+      <button id="renew-tokens">Renew Tokens</button>
+      <button id="logout">Logout</button>
+      <button id="user-info-btn">User Info</button>
+      <button id="revoke">Revoke Token</button>
+      <a href="/par/">Start Over</a>
+    </div>
+    <script type="module" src="./main.ts"></script>
+  </body>
+</html>
diff --git a/e2e/oidc-app/src/par/main.ts b/e2e/oidc-app/src/par/main.ts
@@ -0,0 +1,27 @@
+/*
+ *
+ * Copyright © 2025 Ping Identity Corporation. All right reserved.
+ *
+ * This software may be modified and distributed under the terms
+ * of the MIT license. See the LICENSE file for details.
+ *
+ */
+import { oidcApp } from '../utils/oidc-app.js';
+
+const urlParams = new URLSearchParams(window.location.search);
+const clientId = urlParams.get('clientid');
+const wellknown = urlParams.get('wellknown');
+
+const config = {
+  clientId: clientId || 'ParClient',
+  redirectUri: 'http://localhost:8443/par/',
+  scope: 'openid profile email',
+  par: true,
+  serverConfig: {
+    wellknown:
+      wellknown ||
+      'https://openam-sdks.forgeblocks.com/am/oauth2/alpha/.well-known/openid-configuration',
+  },
+};
+
+oidcApp({ config, urlParams });
diff --git a/e2e/oidc-app/src/utils/oidc-app.ts b/e2e/oidc-app/src/utils/oidc-app.ts
@@ -49,8 +49,11 @@ export async function oidcApp({ config, urlParams }) {
   const code = urlParams.get('code');
   const state = urlParams.get('state');
   const piflow = urlParams.get('piflow');
+  const par = urlParams.get('par') === 'true';
 
-  const oidcClient: OidcClient = await oidc({ config });
+  const oidcClient: OidcClient = await oidc({
+    config: { ...config, ...(par && { par: true }) },
+  });
   if ('error' in oidcClient) {
     displayError(oidcClient);
   }

diff --git a/e2e/oidc-app/vite.config.ts b/e2e/oidc-app/vite.config.ts
@@ -4,7 +4,7 @@ import { dirname, resolve } from 'path';
 import { fileURLToPath } from 'url';
 
 const __dirname = dirname(fileURLToPath(import.meta.url));
-const pages = ['ping-am', 'ping-one'];
+const pages = ['ping-am', 'ping-one', 'par'];
 export default defineConfig(() => ({
   root: __dirname + '/src',
   cacheDir: '../../node_modules/.vite/e2e/oidc-app',

diff --git a/e2e/oidc-suites/src/par.spec.ts b/e2e/oidc-suites/src/par.spec.ts
@@ -0,0 +1,85 @@
+/*
+ *
+ * Copyright © 2025 Ping Identity Corporation. All right reserved.
+ *
+ * This software may be modified and distributed under the terms
+ * of the MIT license. See the LICENSE file for details.
+ *
+ */
+import { test, expect } from '@playwright/test';
+import { pingAmUsername, pingAmPassword } from './utils/demo-users.js';
+import { asyncEvents } from './utils/async-events.js';
+
+test.describe('PAR (Pushed Authorization Request) login tests', () => {
+  test('background login with PAR enabled (ParClient) obtains access token', async ({ page }) => {
+    const { clickWithRedirect, navigate } = asyncEvents(page);
+
+    const parRequests: string[] = [];
+
+    page.on('request', (request) => {
+      if (request.method() === 'POST' && request.url().includes('/par')) {
+        parRequests.push(request.url());
+      }
+    });
+
+    await navigate('/par/');
+
+    await clickWithRedirect('Login (Background)', '**/am/XUI/**');
+
+    await page.getByLabel('User Name').fill(pingAmUsername);
+    await page.getByRole('textbox', { name: 'Password' }).fill(pingAmPassword);
+    await clickWithRedirect('Next', 'http://localhost:8443/par/**');
+
+    expect(page.url()).toContain('code');
+    expect(page.url()).toContain('state');
+
+    await expect(page.locator('#accessToken-0')).not.toBeEmpty();
+
+    // PAR POST was made for background request
+    expect(parRequests.length).toBeGreaterThan(0);
+  });
+
+  test('redirect login with PAR enabled obtains access token and uses slim authorize URL', async ({
+    page,
+  }) => {
+    const { clickWithRedirect, navigate } = asyncEvents(page);
+
+    const parRequests: string[] = [];
+    const parAuthorizeUrls: string[] = [];
+
+    page.on('request', (request) => {
+      if (request.method() === 'POST' && request.url().includes('/par')) {
+        parRequests.push(request.url());
+      }
+      // Capture only the slim PAR authorize redirect (has request_uri, not scope)
+      if (request.url().includes('/authorize') && request.url().includes('request_uri=')) {
+        parAuthorizeUrls.push(request.url());
+      }
+    });
+
+    await navigate('/ping-am/?par=true');
+
+    await clickWithRedirect('Login (Redirect)', '**/am/XUI/**');
+
+    await page.getByLabel('User Name').fill(pingAmUsername);
+    await page.getByRole('textbox', { name: 'Password' }).fill(pingAmPassword);
+    await clickWithRedirect('Next', 'http://localhost:8443/ping-am/**');
+
+    expect(page.url()).toContain('code');
+    expect(page.url()).toContain('state');
+
+    await expect(page.locator('#accessToken-0')).not.toBeEmpty();
+
+    // PAR POST was made
+    expect(parRequests.length).toBeGreaterThan(0);
+
+    // Slim authorize URL contains only client_id + request_uri (not scope/code_challenge)
+    expect(parAuthorizeUrls.length).toBeGreaterThan(0);
+    const authorizeUrl = new URL(parAuthorizeUrls[0]);
+    expect(authorizeUrl.searchParams.has('client_id')).toBe(true);
+    expect(authorizeUrl.searchParams.has('request_uri')).toBe(true);
+    expect(authorizeUrl.searchParams.has('scope')).toBe(false);
+    expect(authorizeUrl.searchParams.has('code_challenge')).toBe(false);
+    expect(authorizeUrl.searchParams.has('redirect_uri')).toBe(false);
+  });
+});
diff --git a/packages/oidc-client/api-report/oidc-client.api.md b/packages/oidc-client/api-report/oidc-client.api.md
@@ -123,6 +123,10 @@ oidc: CombinedState<    {
 authorizeFetch: MutationDefinition<    {
 url: string;
 }, BaseQueryFn<string | FetchArgs, unknown, FetchBaseQueryError, {}, FetchBaseQueryMeta>, never, AuthorizeSuccessResponse, "oidc", unknown>;
+par: MutationDefinition<    {
+endpoint: string;
+body: URLSearchParams;
+}, BaseQueryFn<string | FetchArgs, unknown, FetchBaseQueryError, {}, FetchBaseQueryMeta>, never, PushAuthorizationResponse, "oidc", unknown>;
 authorizeIframe: MutationDefinition<    {
 url: string;
 }, BaseQueryFn<string | FetchArgs, unknown, FetchBaseQueryError, {}, FetchBaseQueryMeta>, never, AuthorizationSuccess, "oidc", unknown>;
@@ -155,6 +159,10 @@ oidc: CombinedState<    {
 authorizeFetch: MutationDefinition<    {
 url: string;
 }, BaseQueryFn<string | FetchArgs, unknown, FetchBaseQueryError, {}, FetchBaseQueryMeta>, never, AuthorizeSuccessResponse, "oidc", unknown>;
+par: MutationDefinition<    {
+endpoint: string;
+body: URLSearchParams;
+}, BaseQueryFn<string | FetchArgs, unknown, FetchBaseQueryError, {}, FetchBaseQueryMeta>, never, PushAuthorizationResponse, "oidc", unknown>;
 authorizeIframe: MutationDefinition<    {
 url: string;
 }, BaseQueryFn<string | FetchArgs, unknown, FetchBaseQueryError, {}, FetchBaseQueryMeta>, never, AuthorizationSuccess, "oidc", unknown>;
@@ -281,6 +289,8 @@ export interface OidcConfig extends AsyncLegacyConfigOptions {
     // (undocumented)
     clientId: string;
     // (undocumented)
+    par?: boolean;
+    // (undocumented)
     redirectUri: string;
     // (undocumented)
     responseType?: ResponseType_2;
@@ -296,6 +306,14 @@ export interface OidcConfig extends AsyncLegacyConfigOptions {
 // @public (undocumented)
 export type OptionalAuthorizeOptions = Partial<GetAuthorizationUrlOptions>;
 
+// @public (undocumented)
+export interface PushAuthorizationResponse {
+    // (undocumented)
+    expires_in: number;
+    // (undocumented)
+    request_uri: string;
+}
+
 export { RequestMiddleware }
 
 export { ResponseType_2 as ResponseType }

diff --git a/packages/oidc-client/api-report/oidc-client.types.api.md b/packages/oidc-client/api-report/oidc-client.types.api.md
@@ -123,6 +123,10 @@ oidc: CombinedState<    {
 authorizeFetch: MutationDefinition<    {
 url: string;
 }, BaseQueryFn<string | FetchArgs, unknown, FetchBaseQueryError, {}, FetchBaseQueryMeta>, never, AuthorizeSuccessResponse, "oidc", unknown>;
+par: MutationDefinition<    {
+endpoint: string;
+body: URLSearchParams;
+}, BaseQueryFn<string | FetchArgs, unknown, FetchBaseQueryError, {}, FetchBaseQueryMeta>, never, PushAuthorizationResponse, "oidc", unknown>;
 authorizeIframe: MutationDefinition<    {
 url: string;
 }, BaseQueryFn<string | FetchArgs, unknown, FetchBaseQueryError, {}, FetchBaseQueryMeta>, never, AuthorizationSuccess, "oidc", unknown>;
@@ -155,6 +159,10 @@ oidc: CombinedState<    {
 authorizeFetch: MutationDefinition<    {
 url: string;
 }, BaseQueryFn<string | FetchArgs, unknown, FetchBaseQueryError, {}, FetchBaseQueryMeta>, never, AuthorizeSuccessResponse, "oidc", unknown>;
+par: MutationDefinition<    {
+endpoint: string;
+body: URLSearchParams;
+}, BaseQueryFn<string | FetchArgs, unknown, FetchBaseQueryError, {}, FetchBaseQueryMeta>, never, PushAuthorizationResponse, "oidc", unknown>;
 authorizeIframe: MutationDefinition<    {
 url: string;
 }, BaseQueryFn<string | FetchArgs, unknown, FetchBaseQueryError, {}, FetchBaseQueryMeta>, never, AuthorizationSuccess, "oidc", unknown>;
@@ -281,6 +289,8 @@ export interface OidcConfig extends AsyncLegacyConfigOptions {
     // (undocumented)
     clientId: string;
     // (undocumented)
+    par?: boolean;
+    // (undocumented)
     redirectUri: string;
     // (undocumented)
     responseType?: ResponseType_2;
@@ -296,6 +306,14 @@ export interface OidcConfig extends AsyncLegacyConfigOptions {
 // @public (undocumented)
 export type OptionalAuthorizeOptions = Partial<GetAuthorizationUrlOptions>;
 
+// @public (undocumented)
+export interface PushAuthorizationResponse {
+    // (undocumented)
+    expires_in: number;
+    // (undocumented)
+    request_uri: string;
+}
+
 export { RequestMiddleware }
 
 export { ResponseType_2 as ResponseType }

diff --git a/packages/oidc-client/package.json b/packages/oidc-client/package.json
@@ -32,6 +32,7 @@
     "@forgerock/sdk-oidc": "workspace:*",
     "@forgerock/sdk-request-middleware": "workspace:*",
     "@forgerock/sdk-types": "workspace:*",
+    "@forgerock/sdk-utilities": "workspace:*",
     "@forgerock/storage": "workspace:*",
     "@reduxjs/toolkit": "catalog:",
     "effect": "catalog:effect"