Add PAR request cleanup guide#6194
Conversation
|
Warning Review limit reached
More reviews will be available in 30 minutes and 56 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more credits in the billing tab to continue. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughFive documentation files are updated: security warning callouts are added to access token, refresh token, and private-key JWT client authentication docs prohibiting URL query parameter transmission of tokens and credentials; a PAR record cleanup guide section is added for WSO2 IS; and "Referer" is added to the Asgardeo spelling dictionary. ChangesToken security guidance and PAR maintenance docs
Suggested labels
Suggested reviewers
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
coderabbitai
Bot
requested review from
ashanthamara,
himeshsiriwardana and
hwupathum
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
en/includes/guides/authentication/oidc/implement-login-with-par.md (1)
20-22:⚠️ Potential issue | 🟡 Minor | ⚡ Quick winAdd a language tag to the code block on line 20.
The pipeline failure indicates a missing language specifier on the fenced code block. Although this is existing code (not part of this PR's changes), the MD040 error is blocking the build. Add a language tag to comply with markdown linting rules.
🔧 Proposed fix
The `request_uri` functions as a reference to your authorization payload. You can receive a `request_uri` by invoking the following endpoint in {{product_name}}. -``` +```bash {{par_endpoint}}</details> <details> <summary>🤖 Prompt for AI Agents</summary>Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.In
@en/includes/guides/authentication/oidc/implement-login-with-par.mdaround
lines 20 - 22, The code block containing {{par_endpoint}} is missing a language
tag specifier, which is causing an MD040 linting error. Add a language tag
(bash) immediately after the opening triple backticks to specify the code block
language, changing the opening fromtobash to comply with markdown
linting rules.</details> <!-- cr-comment:v1:f99354841e179d4447b910b0 --> </blockquote></details> </blockquote></details>🧹 Nitpick comments (1)
en/includes/guides/authentication/oidc/private-key-jwt-client-auth.md (1)
132-133: 💤 Low valueConsider splitting the warning into two sentences for better readability.
The warning is comprehensive but combines two related instructions in a single long sentence. Breaking it into a directive sentence (Send...) followed by a prohibition sentence (Never send...) could improve clarity without losing impact.
✏️ Proposed refactoring (optional)
!!! warning - Send the `client_assertion` (and the client secret, if you use the `client_secret_basic` or `client_secret_post` method) as form parameters in the body of the `POST` request to the token endpoint. Never send these credentials in custom HTTP headers or as URL query parameters, where they can leak through server logs, browser history, and the `Referer` header. + Send the `client_assertion` (and the client secret, if you use the `client_secret_basic` or `client_secret_post` method) as form parameters in the body of the `POST` request to the token endpoint. + + Never send these credentials in custom HTTP headers or as URL query parameters. They can leak through server logs, browser history, and the `Referer` header.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@en/includes/guides/authentication/oidc/private-key-jwt-client-auth.md` around lines 132 - 133, The warning block currently contains a single long sentence combining both a directive instruction and a prohibition. Split this warning into two separate sentences within the same warning block: first sentence should contain the directive instruction about sending client_assertion and client secret as form parameters in the POST request body, and the second sentence should contain the prohibition about never sending these credentials in custom HTTP headers or query parameters. This improves readability without losing the comprehensive nature of the warning.Source: Coding guidelines
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. Outside diff comments: In `@en/includes/guides/authentication/oidc/implement-login-with-par.md`: - Around line 20-22: The code block containing {{par_endpoint}} is missing a language tag specifier, which is causing an MD040 linting error. Add a language tag (bash) immediately after the opening triple backticks to specify the code block language, changing the opening from ``` to ```bash to comply with markdown linting rules. --- Nitpick comments: In `@en/includes/guides/authentication/oidc/private-key-jwt-client-auth.md`: - Around line 132-133: The warning block currently contains a single long sentence combining both a directive instruction and a prohibition. Split this warning into two separate sentences within the same warning block: first sentence should contain the directive instruction about sending client_assertion and client secret as form parameters in the POST request body, and the second sentence should contain the prohibition about never sending these credentials in custom HTTP headers or query parameters. This improves readability without losing the comprehensive nature of the warning.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: CHILL
Plan: Pro
Run ID:
079c8167-b02d-4829-9078-bee962c4262d📒 Files selected for processing (5)
en/asgardeo/.spellingen/includes/guides/authentication/oidc/implement-login-with-par.mden/includes/guides/authentication/oidc/private-key-jwt-client-auth.mden/includes/references/tokens/access-tokens.mden/includes/references/tokens/refresh-tokens.md
2 participants
Purpose
Adds documentation for cleaning up PAR request records and clarifies how tokens
and client credentials should be transmitted.
Changes
per-database cleanup scripts (DB2, MSSQL, MySQL, Oracle, PostgreSQL). Shown for
WSO2 Identity Server only.
Authorizationheader rather than as URL query parameters.form parameter in the token request.
Refererto the spelling dictionary.Related docs