This is a WIP to request feedback early on in the approach before I clean things up, write tests, and submit an official PR.

This implements RFC-9126: OAuth 2.0 Pushed Authorization Requests

I'm supporting ATProto (Bluesky) in my application, and their implementation requires DPoP and PAR. You can read more about their specific requirements here for context.

This is only the client-side code at the moment, but again just looking for overall feedback before cleaning up and adding tests.

It's not particularly complicated on the client-side to support, but working it into the existing framework and maintain backwards compatibility was a bit difficult which is mostly where feedback would be welcome. Since PAR accepts all the same values at /par as would've normally been sent to /authorize I re-utilized authorize_params for both use-cases, and added a separate authorize_url_params arg specifically for parameters that need to be sent to /authorize in both PAR and non-PAR use-cases. I couldn't think of a cleaner way to do this, or even a better name (always horrible at naming things!), so suggestions are welcome.

Server support has been added as well. For saving the generated request_uri I added it to the AuthorizationCode, but that complicates the existing query_authorization_code() and save_authorization_code() methods since they'd need to be expanded to include the state, request_uri, and expires_in. I'm not sure how y'all have handled breaking changes like that in the past, so feedback explicitly about how you'd like to handle that would be most useful.

TODO:

• Tests
• Server-side support