Merge pull request #61 from ryanbas21/fix/par-inline-params-rule

ryanbas21 · web-flow · commit 1c8688f4e320 · 2026-05-15T12:40:54.000-06:00
fix(diagnosis): stop flagging client_id as prohibited inline PAR param
diff --git a/.changeset/fix-par-inline-params.md b/.changeset/fix-par-inline-params.md
@@ -0,0 +1,7 @@
+---
+'@wolfcola/devtools-core': patch
+---
+
+Fix PAR inline-params rule falsely flagging client_id alongside request_uri
+
+The `par:inline-params-with-request-uri` diagnosis rule incorrectly treated `client_id` as a prohibited inline parameter. Per RFC 9126, `client_id` is required alongside `request_uri` in the authorization request after a PAR. Only truly prohibited params (`redirect_uri`, `scope`, etc.) now trigger the warning.
diff --git a/packages/devtools-core/src/diagnosis/diagnosis-engine.test.ts b/packages/devtools-core/src/diagnosis/diagnosis-engine.test.ts
@@ -935,6 +935,30 @@ describe('PAR rules', () => {
     const result = runFlowRules(events);
     expect(result.some((i) => i.id === 'par:inline-params-with-request-uri')).toBe(true);
   });
+
+  it('does not flag request_uri with only client_id', () => {
+    const events = [
+      makeNetworkEvent({
+        id: 'par-valid',
+        data: {
+          _tag: 'network',
+          url: 'https://auth.example.com/authorize?request_uri=urn:x&client_id=app1',
+          method: 'GET',
+          status: 302,
+          requestHeaders: {},
+          responseHeaders: {},
+          duration: 50,
+        },
+        oidcSemantics: {
+          _tag: 'oidc-semantics',
+          oidcPhase: 'authorize',
+          par: { requestUri: 'urn:x' },
+        },
+      }),
+    ];
+    const result = runFlowRules(events);
+    expect(result.some((i) => i.id === 'par:inline-params-with-request-uri')).toBe(false);
+  });
 });
 
 // ─── Expired JWT via runEventRules ────────────────────────────────────────────
diff --git a/packages/devtools-core/src/diagnosis/diagnosis-engine.ts b/packages/devtools-core/src/diagnosis/diagnosis-engine.ts
@@ -700,8 +700,7 @@ function collectParIssues(events: readonly AuthEvent[]): IssueCandidate[] {
     // Authorize with both request_uri AND inline params
     if (sem.oidcPhase === 'authorize' && sem.par?.requestUri && event.data._tag === 'network') {
       const url = event.data.url;
-      const hasInlineParams =
-        url.includes('client_id=') || url.includes('redirect_uri=') || url.includes('scope=');
+      const hasInlineParams = url.includes('redirect_uri=') || url.includes('scope=');
       if (hasInlineParams) {
         candidates.push({
           dedupKey: `par:inline-params-with-request-uri:${event.id}`,
