Allow the use of Pushed Authentication Requests when supported by the provider

[istyf]

I would like to be able to use PAR with go-oidc, but sadly it does not seem to support that. See https://datatracker.ietf.org/doc/html/rfc9126 and https://medium.com/oauth-2/pushed-authorization-requests-draft-adopted-by-oauth-working-group-a1060007150f

I am willing to take a stab at implementing support for this, unless someone is already working on it.

[ericchiang]

Do you have a sense of what API additions would be needed from go-oidc to support this? Briefly looking at the spec, it seems like this might be more suitable as a golang.org/x/oauth2 feature?

[istyf]

Thank you for your quick response! I must admit I had not given the actual implementation much thought before posting the issue, but you are right, after some more digging it seems that most of the implementation belongs in golang.org/x/oauth2.

I think though that we would like to extract the endpoint URL from the pushed_authorization_request_endpoint in the auth server metadata (here

go-oidc/oidc/oidc.go

Line 230 in 6d6be43

err = unmarshalResp(resp, body, &p)

) and return it when we query the provider for endpoints (here

go-oidc/oidc/oidc.go

Line 283 in 6d6be43

return oauth2.Endpoint{AuthURL: p.authURL, DeviceAuthURL: p.deviceAuthURL, TokenURL: p.tokenURL}

). But ... that would require that support for this endpoint has already made it into oauth2.Endpoint so I guess I will have to start over there.

[ericchiang]

Thanks for the reply! Any additional metadata endpoints can be retrieved through https://pkg.go.dev/github.com/coreos/go-oidc/v3/oidc#Provider.Claims

(We should really have a better name for that method)