Add OAuth 2.0 Pushed Authorization Requests support in the OpenID module

[kevinchalet]

OpenIddict 6.1.0 introduced full support for OAuth 2.0 Pushed Authorization Requests in both the client and server stacks: https://documentation.openiddict.com/configuration/pushed-authorization-requests.

While OC just migrated to OpenIddict 6.1.0, that feature is not currently enabled. Since it drastically improves the security level of interactive flows for confidential clients, we should definitely consider supporting it.

My recommendations:

• Enable the OAuth 2.0 PAR Endpoint by default.
• Add a data migration updating all the existing applications allowed to use the code/implicit/hybrid flows to also allow them to use the new PAR endpoint (some clients - like the MSFT OIDC client or OpenIddict - will automatically use PAR-enabled flows when the PAR endpoint is enabled, so if a client is not allowed to use that endpoint, an error will be returned).
• Update the UpdateDescriptorFromSettings() extension to support handling the PAR endpoint permission.
• Add an option allowing to force a specific application to use PAR in the application create/edit views.
• Add a global option allowing to force all clients to use PAR in the server options.

[github-actions]

We triaged this issue and set the milestone according to the priority we think is appropriate (see the docs on how we triage and prioritize issues).

This indicates when the core team may start working on it. However, if you'd like to contribute, we'd warmly welcome you to do that anytime. See our guide on contributions here.