Include of PAR for WN9 /b (dotnet#33334)

* Include of PAR for WN9 /b

* Update aspnetcore-2.2.md

Author: Rick-Anderson

aspnetcore/release-notes/aspnetcore-2.2.md

@@ -4,7 +4,7 @@ author: rick-anderson
 description: Learn about the new features in ASP.NET Core 2.2.
 ms.author: riande
 ms.custom: mvc
-ms.date: 12/05/2019
+ms.date: 12/5/2019
 uid: aspnetcore-2.2
 ---
 # What's new in ASP.NET Core 2.2

aspnetcore/release-notes/aspnetcore-9/includes/par.md

@@ -5,14 +5,14 @@
 
 We'd like to thank [Joe DeCock](https://github.com/josephdecock) from [Duende Software](https://github.com/DuendeSoftware) for adding Pushed Authorization Requests (PAR) to ASP.NET Core's [OpenIdConnectHandler](/dotnet/api/microsoft.aspnetcore.authentication.openidconnect.openidconnecthandler). Joe described the background and motivation for enabling PAR in [his API proposal](https://github.com/dotnet/aspnetcore/issues/51686) as follows:
 
-> Pushed Authorization Requests (PAR) is a relatively new [OAuth standard](https://datatracker.ietf.org/doc/html/rfc9126) that improves the security of OAuth and OIDC flows by moving authorization parameters from the front channel to the back channel (that is, from redirect URLs in the browser to direct machine to machine http calls on the back end).
+> Pushed Authorization Requests (PAR) is a relatively new [OAuth standard](https://datatracker.ietf.org/doc/html/rfc9126) that improves the security of OAuth and OIDC flows by moving authorization parameters from the front channel to the back channel. Thats is, moving authorization parameters from redirect URLs in the browser to direct machine to machine http calls on the back end.
 >
-> This prevents an attacker in the browser from
+> This prevents an attacker in the browser from:
 >
-> * seeing authorization parameters (which could leak PII) and from
-> * tampering with those parameters (e.g., the attacker could change the scope of access being requested).
+> * Seeing authorization parameters, which could leak PII.
+> * Tampering with those parameters, e.g., the attacker could change the scope of access being requested.
 >
-> Pushing the authorization parameters also keeps request URLs short. Authorize parameters might get very long when using more complex OAuth and OIDC features such as [Rich Authorization Requests](https://oauth.net/2/rich-authorization-requests/), and URLs that are long cause issues in many browsers and networking infrastructure.
+> Pushing the authorization parameters also keeps request URLs short. Authorize parameters can get very long when using more complex OAuth and OIDC features such as [Rich Authorization Requests](https://oauth.net/2/rich-authorization-requests/). URLs that are long cause issues in many browsers and networking infrastructures.
 >
 > The use of PAR is encouraged by the [FAPI working group](https://openid.net/wg/fapi/) within the OpenID Foundation. For example, [the FAPI2.0 Security Profile](https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html) requires the use of PAR. This security profile is used by many of the groups working on open banking (primarily in Europe), in health care, and in other industries with high security requirements.
 >
@@ -23,8 +23,8 @@ We'd like to thank [Joe DeCock](https://github.com/josephdecock) from [Duende So
 > * [Keycloak](https://www.keycloak.org/)
 > * [Authlete](https://www.authlete.com/developers/tutorial/oidc/)
 
-For preview7, we have decided to enable PAR by default if the identity provider's discovery document (usually found at `.well-known/openid-configuration`) advertises support for PAR, since it should provide enhanced security for providers that support it. If this causes problems, you can disable PAR via [OpenIdConnectOptions.PushedAuthorizationBehavior](https://source.dot.net/#Microsoft.AspNetCore.Authentication.OpenIdConnect/OpenIdConnectOptions.cs,99014cc0333b1603) as follows:
+For .NET 9, we have decided to enable PAR by default if the identity provider's discovery document advertises support for PAR, since it should provide enhanced security for providers that support it. The identity provider's discovery document is usually found at `.well-known/openid-configuration`. If this causes problems, you can disable PAR via [OpenIdConnectOptions.PushedAuthorizationBehavior](https://source.dot.net/#Microsoft.AspNetCore.Authentication.OpenIdConnect/OpenIdConnectOptions.cs,99014cc0333b1603) as follows:
 
 :::code language="csharp" source="~/release-notes/aspnetcore-9/samples/PAR/Program.cs" id="snippet_1" highlight="8-99":::
 
-If you want to ensure that authentication only succeeds if PAR is used, you can use [PushedAuthorizationBehavior.Require](https://source.dot.net/#Microsoft.AspNetCore.Authentication.OpenIdConnect/PushedAuthorizationBehavior.cs,3af73de8f33b70c5) instead. This change also introduces a new [OnPushAuthorization](https://source.dot.net/#Microsoft.AspNetCore.Authentication.OpenIdConnect/Events/OpenIdConnectEvents.cs,6a21c8f3a90753c1) event to [OpenIdConnectEvents](/dotnet/api/microsoft.aspnetcore.authentication.openidconnect.openidconnectevents) which can be used customize the pushed authorization request or handle it manually. Please refer to the [API proposal](https://github.com/dotnet/aspnetcore/issues/51686) for more details.
+To ensure that authentication only succeeds if PAR is used, use [PushedAuthorizationBehavior.Require](https://source.dot.net/#Microsoft.AspNetCore.Authentication.OpenIdConnect/PushedAuthorizationBehavior.cs,3af73de8f33b70c5) instead. This change also introduces a new [OnPushAuthorization](https://source.dot.net/#Microsoft.AspNetCore.Authentication.OpenIdConnect/Events/OpenIdConnectEvents.cs,6a21c8f3a90753c1) event to [OpenIdConnectEvents](/dotnet/api/microsoft.aspnetcore.authentication.openidconnect.openidconnectevents) which can be used customize the pushed authorization request or handle it manually. See the [API proposal](https://github.com/dotnet/aspnetcore/issues/51686) for more details.

aspnetcore/release-notes/aspnetcore-9/samples/PAR/Program.cs

@@ -4,24 +4,27 @@
 var builder = WebApplication.CreateBuilder(args);
 
 // <snippet_1>
-builder.Services
-    .AddAuthentication(options =>
-    {
-        options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
-        options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
-    })
-    .AddCookie()
-    .AddOpenIdConnect("oidc", oidcOptions =>
-    {
-        // Other provider-specific configuration goes here.
-
-        // The default value is PushedAuthorizationBehavior.UseIfAvailable.
-        oidcOptions.PushedAuthorizationBehavior = PushedAuthorizationBehavior.Disable;
-    });
+ builder.Services
+     .AddAuthentication(options =>
+     {
+         options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
+         options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
+     })
+     .AddCookie()
+     .AddOpenIdConnect("oidc", oidcOptions =>
+     {
+         // Other provider-specific configuration goes here.
+ 
+         // The default value is PushedAuthorizationBehavior.UseIfAvailable.
+ 
+         // 'OpenIdConnectOptions' does not contain a definition for 'PushedAuthorizationBehavior'
+         // and no accessible extension method 'PushedAuthorizationBehavior' accepting a first argument
+         // of type 'OpenIdConnectOptions' could be found
+         oidcOptions.PushedAuthorizationBehavior = PushedAuthorizationBehavior.Disable;
+     });
 // </snippet_1>
 
 var app = builder.Build();
-
 app.MapGet("/", () => "Hello World!");
 
 app.Run();