proposal: x/oauth2: support pushed authorization requests (PAR)

[theadell]

Feature request golang/oauth2#653

We propose adding support to PAR (RFC 9126).

Motivation: PAR uses HTTP POST to directly send the authorization request parameters to the authorization server instead of being sent as URI query parameters via redirection in the user agent. This change would make it easier to write more secure OAuth clients by adding confidentiality and integrity to the authorization requests, reducing exposure to tampering and data leakage, and addressing the limitations of URL lengths that can prevent complex requests as when using JWT-Secured Authorization Request (JAR) or requests with fine-grained authorization.

PAR is already supported by many IAM solutions such as Okta, Auth0, Curity, Identity Server, and Keycloak

Proposed API:

// PushAuthRequest sends a back-channel authorization request to the PAR endpoint and returns a URL
// to OAuth 2.0 provider's consent page which contains a reference to the request made.
//
// The state parameter is used to prevent CSRF attacks. opts may include any authorization
// request parameters as defined in RFC 6749, or any extension like PKCE (RFC 7636) or JAR (RFC 9101).
//
// Recommended to use over AuthCodeURL when the authorization server supports it.
// See https://datatracker.ietf.org/doc/html/rfc9126
func (c *Config) PushAuthRequest(ctx context.Context, state string, opts ...AuthCodeOption) (string, error) 

Additionally, we update the Endpoint struct to include a PARURL field

type Endpoint struct {
    AuthURL       string
    DeviceAuthURL string
    TokenURL      string
    PARURL        string // New field for the PAR endpoint URL

    AuthStyle AuthStyle
}

Prototype implementation: https://go-review.googlesource.com/c/oauth2/+/567315