From 9af305aa87081a3bb22e034ad7824521c9db9b11 Mon Sep 17 00:00:00 2001
From: Daniel K <d@ja.vu>
Date: Mon, 14 Jun 2021 13:43:57 +0200
Subject: [PATCH] Support for Pushed Authorization Requests (PAR)

OAuth 2.0 Pushed Authorization Requests is defined in
(draft-ietf-oauth-par-08)

PAR lets the client push the authorization request to the IP
ahead of end-user involvement
---
 CHANGELOG.md                |  5 +++++
 src/OpenIDConnectClient.php | 41 +++++++++++++++++++++++++++++++++++++
 2 files changed, 46 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3185924c..bcdbcac2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
+## master
+
+### Added
+* Support for Pushed Authorization Requests (draft-ietf-oauth-par-08)
+
 ## [0.9.2]
 
 ### Added
diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php
index ee81b02c..d4abd07e 100644
--- a/src/OpenIDConnectClient.php
+++ b/src/OpenIDConnectClient.php
@@ -675,12 +675,53 @@ private function requestAuthorization() {
             ));
         }
 
+        $par_data = $this->pushAuthorizationRequest($auth_params);
+        if ($par_data) {
+            $auth_params = array(
+                'client_id' => $this->clientID,
+                'request_uri' => $par_data->request_uri
+            );
+        }
+
         $auth_endpoint .= (strpos($auth_endpoint, '?') === false ? '?' : '&') . http_build_query($auth_params, null, '&', $this->enc_type);
 
         $this->commitSession();
         $this->redirect($auth_endpoint);
     }
 
+    /**
+     * Push authorization request
+     *
+     * @param array $auth_params
+     * @return mixed
+     */
+    private function pushAuthorizationRequest($auth_params) {
+        $par_endpoint = $this->getProviderConfigValue('pushed_authorization_request_endpoint');
+        if (!$par_endpoint) {
+            return NULL;
+        }
+        $endpoint_auth_methods_supported = $this->getProviderConfigValue('token_endpoint_auth_methods_supported', ['client_secret_basic']);
+
+        $headers = [];
+
+        # Consider Basic authentication if provider config is set this way
+        if (in_array('client_secret_basic', $endpoint_auth_methods_supported, true)) {
+            $headers = ['Authorization: Basic ' . base64_encode(urlencode($this->clientID) . ':' . urlencode($this->clientSecret)),
+                'Accept: application/json'];
+
+            unset($auth_params['client_secret']);
+        }
+
+        $par_params = http_build_query($auth_params, NULL, '&');
+        $response = json_decode($this->fetchURL($par_endpoint, $par_params, $headers));
+
+        if (!isset($response->request_uri)) {
+            return NULL;
+        }
+
+        return $response;
+    }
+
     /**
      * Requests a client credentials token
      *