Golang proposal: x/oauth2: support pushed authorization requests (PAR)

Feature request https://github.com/golang/oauth2/issues/653

We propose adding support to PAR (RFC 9126).

Motivation: PAR uses HTTP POST to directly send the authorization request parameters to the authorization server instead of being sent as URI query parameters via redirection in the user agent. This change would make it easier to write more secure OAuth clients by adding confidentiality and integrity to the authorization requests, reducing exposure to tampering and data leakage, and addressing the limitations of URL lengths that can prevent complex requests as when using JWT-Secured Authorization Request (JAR) or requests with fine-grained authorization.

PAR is already supported by many IAM solutions such as Okta, Auth0, Curity, Identity Server, and Keycloak

Proposed API:

// PushAuthRequest sends a back-channel authorization request to the PAR endpoint and returns a URL
// to OAuth 2.0 provider's consent page which contains a reference to the request made.
//
// The state parameter is used to prevent CSRF attacks. opts may include any authorization
// request parameters as defined in RFC 6749, or any extension like PKCE (RFC 7636) or JAR (RFC 9101).
//
// Recommended to use over AuthCodeURL when the authorization server supports it.
// See https://datatracker.ietf.org/doc/html/rfc9126
func (c *Config) PushAuthRequest(ctx context.Context, state string, opts ...AuthCodeOption) (string, error) 

Additionally, we update the Endpoint struct to include a PARURL field

type Endpoint struct {
    AuthURL       string
    DeviceAuthURL string
    TokenURL      string
    PARURL        string // New field for the PAR endpoint URL

    AuthStyle AuthStyle
}

Prototype implementation: https://go-review.googlesource.com/c/oauth2/+/567315

Comment From: migregal

PAR is not only implemented by many OAuth2 providers, but is also included in some standard libraries. For example, in .Net Core, starting from version 9

https://learn.microsoft.com/en-us/aspnet/core/release-notes/aspnetcore-9.0?view=aspnetcore-9.0#openidconnecthandler-adds-support-for-pushed-authorization-requests-par

Comment From: migregal

Based on my experience with authentication services, PAR is a big improvement, as it automatically solves a lot of problems that I've encountered over the years.