Make OAuth2 Pushed Authorization Request `request_uri` expiry configurable

[said026]

Expected Behavior The expires_in parameter in the PAR endpoint should be configurable via configuration properties or the DSL, allowing users to set the expiration duration based on their needs.

Current Behavior Currently, the expires_in value is hardcoded, typically set to 30 seconds (soon to 5 minutes via https://github.com/spring-projects/spring-authorization-server/issues/2024), this is limiting flexibility and potentially causing issues with longer authorization flows.

Context This limitation affects scenarios where longer authorization processes are needed, such as multi-factor authentication. Making this configurable would improve usability and compliance with various deployment requirements.

[jgrandja]

@said026

The expires_in parameter in the PAR endpoint should be configurable

I'm going to change the issue title to refer to the request_uri expiry as it's directly related to that setting rather than expires_in.

Having said that, with the fix applied in spring-projects/spring-authorization-server#2024 for 1.5.1, I believe 5 mins is more than enough time to allow the pushed authorization flow to complete. I'm not convinced it needs to be configurable at this point.

I'll leave this issue open and we'll see if there is demand for this configuration option.

[ArtsiomBaranau]

Hi @jgrandja, it would be great to have. Some specifications mandate an exact PAR validity period, for example, Gematik (the German health insurance regulator) requires exactly 90 seconds - no more, no less.

[edouardhue]

Hi @ArtsiomBaranau. Spring Authorization Server has moved to Spring Security 7.0. If you reopen this issue over there and it is accepted, we will be glad to resubmit our PR.

[jgrandja]

This issue was transferred from spring-projects/spring-authorization-server (see spring-authorization-server#2195)