Handling expired PAR with multiple applications

[markallum]

Hi,

We are using Duende IdentityServer for our identity application, and have two other applications that rely on that identity app for authentication. We have PAR enabled, so whenever one of our main apps redirects the user to the identity app (either directly or via a link in an email such as when resetting a password) the user has 10 minutes (by default) in order to perform their actions and login in order to be successfully redirected back. If that 10 minutes has elapsed, the user will instead be directed to the error page defined in IdentityServerOptions.UserInteraction.ErrorUrl.

This error has been occurring quite often in our application, most likely due to users resetting their password but not opening the email and performing the reset within the 10 minutes they are given.

We are having some trouble with the best way of handling this and we have a couple of queries:

1. As far as I know the ErrorUrl is used for when any error occurs, not just when a users autorization request expires. Is there anyway we can detect when the error is due to the request expiring so we can give a more specific explanation back to the user?
2. Is there anyway for us to detect which of the main applications the user was trying to access? It seems the idea of PAR is to purposefully hide this information which makes sense but it means we aren't able to give the user an option to try again. We would rather not add links going back to our main applications from the error page as a user may only be able to access application A for example, and should not be given the impression that application B exists or is available to them.

Based on my reading it seems like enabling PAR is a good idea for security and that 10 minutes is an adequate lifetime, but if we are using this incorrectly please let me know.

Thanks!

[wcabus]

Our UI templates shows an example implementation on how you can use the IIdentityServerInteractionService to retrieve the error context.

In the case you're describing, when the authentication fails due to the PAR request expiring, the error context will contain the following data in the ErrorMessage instance:

• Error = "invalid_request_uri"
• ErrorDescription = "expired pushed authorization request"
• ClientId = "client-id-making-the-authorization-request"

This information could help in customizing the error experience to show a link back to the application (based on the client ID - when set). Optionally, you can use the invalid_request_uri error type as an indicator for explaining that the authentication timed out and the user has to try again.

You could also optionally increase the lifetime of the PAR request (either globally or for a specific client), although we generally recommend not doing so: 10 minutes should be sufficient for most users to complete a sign in flow, even when resetting their password. And when your IdentityServer solution needs to be FAPI 2.0 compliant, the FAPI 2.0 Security Profile also recommends to configure the PAR lifetime to a maximum of 10 minutes.