Profile Sharing with Pushed Authorization Request (PAR)
¶ Overview
Profile Sharing enables partners to securely share known user information with Uber during the OAuth authorization flow. By providing user profile data (email, phone number, name) upfront, Uber can pre-populate authentication screens, significantly improving login and signup conversion rates while creating a seamless user experience.
This feature leverages Pushed Authorization Request (PAR), which securely transmits authorization parameters—including user profile information—via a backend POST request before redirecting the user to Uber’s authorization page.
¶ Benefits of Profile Sharing
- Increased Conversion Rates: Pre-populated login/signup forms reduce user friction and abandonment
- Seamless User Experience: Users see their familiar information already filled in
- Enhanced Security: User data transmitted via secure backend POST instead of browser redirects
- Reduced User Errors: Less manual typing means fewer typos and validation errors
¶ Profile Sharing Flow
The profile sharing flow enhances the standard OAuth authorization code flow by adding user profile information via PAR. After completing the steps below, continue with the token exchange as described in the OAuth Authorization Code Flow.
¶ Step 1 - Push Authorization Request with Login Hint
Push your authorization parameters along with user profile information to the PAR endpoint.
Request Details:
- HTTP Method:
POST - Domain:
auth.uber.com - Path:
/oauth/v2/par - Content-Type:
application/x-www-form-urlencoded(Form Body)
| Form Body | Description |
|---|---|
client_id |
Your application’s client ID |
response_type |
Must be set to code for the authorization code flow |
redirect_uri |
The redirect URI registered for your application |
scope |
Space-delimited list of requested scopes (e.g., profile profile.mobile_number offline_access) |
state |
State value for CSRF protection (see State Parameter) |
nonce |
Required when requesting openid; random value echoed in id_token (see Nonce Parameter) |
login_hint |
Base64-encoded JSON containing user profile information (see Login Hint Format) |
code_challenge |
(Optional) Base64url-encoded SHA-256 hash of the code_verifier for PKCE |
code_challenge_method |
(Optional) Must be set to S256 when using PKCE |
¶ Login Hint Format
The login_hint parameter must be a base64-encoded JSON object containing the user’s profile information:
JSON Structure:
{
"email": "user@example.com",
"phone": "+12345678910",
"first_name": "John",
"last_name": "Doe"
}
Field Descriptions:
| Field | Type | Description | Required |
|---|---|---|---|
| string | User’s email address | Optional | |
| phone | string | User’s phone number (E.164 format recommended) | Optional |
| first_name | string | User’s first name | Optional |
| last_name | string | User’s last name | Optional |
Encoding Steps:
- Create JSON object with available user information
- Base64-encode the JSON string
- Include the base64-encoded string as the
login_hintparameter
Example (Python):
import json
import base64
login_hint_data = {
"email": "user@example.com",
"phone": "+12345678910",
"first_name": "John",
"last_name": "Doe"
}
login_hint_json = json.dumps(login_hint_data)
login_hint_b64 = base64.b64encode(login_hint_json.encode()).decode()
# Use login_hint_b64 in the PAR request
Example (JavaScript/Node.js):
const loginHintData = {
email: "user@example.com",
phone: "+12345678910",
first_name: "John",
last_name: "Doe"
};
const loginHintJson = JSON.stringify(loginHintData);
const loginHintB64 = Buffer.from(loginHintJson).toString('base64');
// Use loginHintB64 in the PAR request
¶ Example PAR Request with Profile Sharing
# First, prepare the login_hint
# JSON: {"email":"user@example.com","phone":"+12345678910","first_name":"John","last_name":"Doe"}
# Base64: eyJlbWFpbCI6InVzZXJAZXhhbXBsZS5jb20iLCJwaG9uZSI6IisxMjM0NTY3ODkxMCIsImZpcnN0X25hbWUiOiJKb2huIiwibGFzdF9uYW1lIjoiRG9lIn0=
curl -X POST 'https://auth.uber.com/oauth/v2/par' \
-H 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=<your_client_id>' \
--data-urlencode 'response_type=code' \
--data-urlencode 'redirect_uri=<your_redirect_uri>' \
--data-urlencode 'scope=profile profile.mobile_number offline_access' \
--data-urlencode 'state=<your_state>' \
--data-urlencode 'nonce=<your_nonce>' \
--data-urlencode 'login_hint=eyJlbWFpbCI6InVzZXJAZXhhbXBsZS5jb20iLCJwaG9uZSI6IisxMjM0NTY3ODkxMCIsImZpcnN0X25hbWUiOiJKb2huIiwibGFzdF9uYW1lIjoiRG9lIn0=' \
--data-urlencode 'code_challenge=<base64url_sha256_of_code_verifier>' \
--data-urlencode 'code_challenge_method=S256'
Example Response:
{
"request_uri": "urn:ietf:params:oauth:request_uri:<unique_identifier>",
"expires_in": 300
}
¶ Step 2 - Redirect User to Authorization Endpoint
After receiving the request_uri from Step 1, redirect the user’s browser to Uber’s authorization endpoint.
Request Details:
- HTTP Method:
GET - Domain:
auth.uber.com - Path:
/oauth/v2/authorize
| Query Params | Description |
|---|---|
| client_id | Your application’s client ID |
| request_uri | The request_uri value received from the PAR endpoint |
Example Request from browser:
https://auth.uber.com/oauth/v2/authorize?client_id=<your_client_id>&request_uri=<request_uri_from_step_1>
What Happens:
- Uber retrieves all authorization parameters (including
login_hint) using therequest_uri - If the user is not authenticated:
- Uber creates a user invite with the profile information from
login_hint - User is redirected to Uber’s login/signup screen
- The login/signup form is pre-populated with the email, phone, first name, and last name you provided
- Uber creates a user invite with the profile information from
- User completes authentication (or skips if already logged in)
- User is redirected back to your application with an authorization code
Example Response:
HTTP Status Code 302 Found
Location: <your_client_redirect_uri>?code=<authorization_code>&state=<your_state>
¶ Next Steps - Token Exchange and API Access
After receiving the authorization code, continue with the token exchange process as described in the OAuth Authorization Code Flow documentation.