DuendeArchive
diff --git a/‎src/Client/Extensions/HttpClientPushedAuthorizationExtensions.cs
+92 b/‎src/Client/Extensions/HttpClientPushedAuthorizationExtensions.cs
+92
diff --git a/‎src/Client/Extensions/RequestUrlExtensions.cs
+29-17 b/‎src/Client/Extensions/RequestUrlExtensions.cs
+29-17
diff --git a/‎src/Client/Messages/DiscoveryDocumentResponse.cs
+3-1 b/‎src/Client/Messages/DiscoveryDocumentResponse.cs
+3-1
diff --git a/‎src/Client/Messages/Parameters.cs
+23-17 b/‎src/Client/Messages/Parameters.cs
+23-17
diff --git a/‎src/Client/Messages/PushedAuthorizationRequest.cs
+114 b/‎src/Client/Messages/PushedAuthorizationRequest.cs
+114
@@ -0,0 +1,92 @@
+// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
+
+using IdentityModel.Internal;
+using System;
+using System.Net.Http;
+using System.Threading;
+using System.Threading.Tasks;
+
+namespace IdentityModel.Client;
+
+/// <summary>
+/// HttpClient extensions for OIDC discovery
+/// </summary>
+public static class HttpClientPushedAuthorizationExtensions
+{
+    /// <summary>
+    /// Sends a pushed authorization request
+    /// </summary>
+    /// <param name="client">The HTTP client.</param>
+    /// <param name="request"></param>
+    /// <param name="cancellationToken">The cancellation token.</param>
+    /// <returns></returns>
+    public static Task<PushedAuthorizationResponse> PushAuthorizationAsync(this HttpClient client, PushedAuthorizationRequest request, CancellationToken cancellationToken = default)
+    {
+        if(request.Parameters.ContainsKey(OidcConstants.AuthorizeRequest.RequestUri))
+        {
+            throw new ArgumentException("request_uri cannot be used in a pushed authorization request", "request_uri");
+        }
+
+        var clone = request.Clone();
+
+        // client id is always required, and will be added by the call to
+        // Prepare() for other client credential styles.
+        if(request.ClientCredentialStyle == ClientCredentialStyle.AuthorizationHeader)
+        {
+            clone.Parameters.AddRequired(OidcConstants.AuthorizeRequest.ClientId, request.ClientId);
+        }
+
+        if (request.Request.IsPresent() || request.Parameters.ContainsKey(OidcConstants.AuthorizeRequest.Request))
+        {
+            clone.Parameters.AddRequired(OidcConstants.AuthorizeRequest.Request, request.Request);
+        } 
+        else
+        {
+            clone.Parameters.AddRequired(OidcConstants.AuthorizeRequest.ResponseType, request.ResponseType);
+            clone.Parameters.AddOptional(OidcConstants.AuthorizeRequest.Scope, request.Scope);
+            clone.Parameters.AddOptional(OidcConstants.AuthorizeRequest.RedirectUri, request.RedirectUri);
+            clone.Parameters.AddOptional(OidcConstants.AuthorizeRequest.State, request.State);
+            clone.Parameters.AddOptional(OidcConstants.AuthorizeRequest.Nonce, request.Nonce);
+            clone.Parameters.AddOptional(OidcConstants.AuthorizeRequest.LoginHint, request.LoginHint);
+            clone.Parameters.AddOptional(OidcConstants.AuthorizeRequest.AcrValues, request.AcrValues);
+            clone.Parameters.AddOptional(OidcConstants.AuthorizeRequest.Prompt, request.Prompt);
+            clone.Parameters.AddOptional(OidcConstants.AuthorizeRequest.ResponseMode, request.ResponseMode);
+            clone.Parameters.AddOptional(OidcConstants.AuthorizeRequest.CodeChallenge, request.CodeChallenge);
+            clone.Parameters.AddOptional(OidcConstants.AuthorizeRequest.CodeChallengeMethod, request.CodeChallengeMethod);
+            clone.Parameters.AddOptional(OidcConstants.AuthorizeRequest.Display, request.Display);
+            clone.Parameters.AddOptional(OidcConstants.AuthorizeRequest.MaxAge, request.MaxAge.ToString());
+            clone.Parameters.AddOptional(OidcConstants.AuthorizeRequest.UiLocales, request.UiLocales);
+            clone.Parameters.AddOptional(OidcConstants.AuthorizeRequest.IdTokenHint, request.IdTokenHint);
+            foreach(var resource in request.Resource ?? [])
+            {
+                clone.Parameters.AddOptional(OidcConstants.AuthorizeRequest.Resource, resource, allowDuplicates: true);
+            }
+            clone.Parameters.AddOptional(OidcConstants.AuthorizeRequest.DPoPKeyThumbprint, request.DPoPKeyThumbprint);
+        }
+
+        return PushAuthorizationAsync(client, clone, cancellationToken);
+    }
+
+    internal static async Task<PushedAuthorizationResponse> PushAuthorizationAsync(this HttpMessageInvoker client, ProtocolRequest request, CancellationToken cancellationToken = default)
+    {
+        request.Prepare();
+        request.Method = HttpMethod.Post;
+            
+        HttpResponseMessage response;
+        try
+        {
+            response = await client.SendAsync(request, cancellationToken).ConfigureAwait();
+        }
+        catch (OperationCanceledException)
+		{
+            throw;
+		}
+        catch (Exception ex)
+        {
+            return ProtocolResponse.FromException<PushedAuthorizationResponse>(ex);
+        }
+
+        return await ProtocolResponse.FromHttpResponseAsync<PushedAuthorizationResponse>(response).ConfigureAwait();
+    }
+}
@@ -1,6 +1,8 @@
 // Copyright (c) Brock Allen & Dominick Baier. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
 
+using IdentityModel.Internal;
+
 namespace IdentityModel.Client;
 
 /// <summary>
@@ -22,7 +24,7 @@ public static string Create(this RequestUrl request, Parameters parameters)
     /// <summary>
     /// Creates an authorize URL.
     /// </summary>
-    /// <param name="request">The request.</param>
+    /// <param name="request">The instance of the RequestUrl helper class.</param>
     /// <param name="clientId">The client identifier.</param>
     /// <param name="responseType">The response type.</param>
     /// <param name="scope">The scope.</param>
@@ -39,11 +41,12 @@ public static string Create(this RequestUrl request, Parameters parameters)
     /// <param name="maxAge">The max age.</param>
     /// <param name="uiLocales">The ui locales.</param>
     /// <param name="idTokenHint">The id_token hint.</param>
+    /// <param name="requestUri">The request uri.</param>
     /// <param name="extra">Extra parameters.</param>
     /// <returns></returns>
     public static string CreateAuthorizeUrl(this RequestUrl request,
         string clientId,
-        string responseType,
+        string? responseType = null,
         string? scope = null,
         string? redirectUri = null,
         string? state = null,
@@ -58,28 +61,37 @@ public static string CreateAuthorizeUrl(this RequestUrl request,
         int? maxAge = null,
         string? uiLocales = null,
         string? idTokenHint = null,
+        string? requestUri = null,
         Parameters? extra = null)
     {
         var values = new Parameters
         {
             { OidcConstants.AuthorizeRequest.ClientId, clientId },
-            { OidcConstants.AuthorizeRequest.ResponseType, responseType }
         };
 
-        values.AddOptional(OidcConstants.AuthorizeRequest.Scope, scope);
-        values.AddOptional(OidcConstants.AuthorizeRequest.RedirectUri, redirectUri);
-        values.AddOptional(OidcConstants.AuthorizeRequest.State, state);
-        values.AddOptional(OidcConstants.AuthorizeRequest.Nonce, nonce);
-        values.AddOptional(OidcConstants.AuthorizeRequest.LoginHint, loginHint);
-        values.AddOptional(OidcConstants.AuthorizeRequest.AcrValues, acrValues);
-        values.AddOptional(OidcConstants.AuthorizeRequest.Prompt, prompt);
-        values.AddOptional(OidcConstants.AuthorizeRequest.ResponseMode, responseMode);
-        values.AddOptional(OidcConstants.AuthorizeRequest.CodeChallenge, codeChallenge);
-        values.AddOptional(OidcConstants.AuthorizeRequest.CodeChallengeMethod, codeChallengeMethod);
-        values.AddOptional(OidcConstants.AuthorizeRequest.Display, display);
-        values.AddOptional(OidcConstants.AuthorizeRequest.MaxAge, maxAge?.ToString());
-        values.AddOptional(OidcConstants.AuthorizeRequest.UiLocales, uiLocales);
-        values.AddOptional(OidcConstants.AuthorizeRequest.IdTokenHint, idTokenHint);
+        if (requestUri.IsPresent())
+        {
+            values.AddRequired(OidcConstants.AuthorizeRequest.RequestUri, requestUri);
+        }
+        else
+        {
+            values.AddRequired(OidcConstants.AuthorizeRequest.ResponseType, responseType);
+            values.AddOptional(OidcConstants.AuthorizeRequest.Scope, scope);
+            values.AddOptional(OidcConstants.AuthorizeRequest.RedirectUri, redirectUri);
+            values.AddOptional(OidcConstants.AuthorizeRequest.State, state);
+            values.AddOptional(OidcConstants.AuthorizeRequest.Nonce, nonce);
+            values.AddOptional(OidcConstants.AuthorizeRequest.LoginHint, loginHint);
+            values.AddOptional(OidcConstants.AuthorizeRequest.AcrValues, acrValues);
+            values.AddOptional(OidcConstants.AuthorizeRequest.Prompt, prompt);
+            values.AddOptional(OidcConstants.AuthorizeRequest.ResponseMode, responseMode);
+            values.AddOptional(OidcConstants.AuthorizeRequest.CodeChallenge, codeChallenge);
+            values.AddOptional(OidcConstants.AuthorizeRequest.CodeChallengeMethod, codeChallengeMethod);
+            values.AddOptional(OidcConstants.AuthorizeRequest.Display, display);
+            values.AddOptional(OidcConstants.AuthorizeRequest.MaxAge, maxAge?.ToString());
+            values.AddOptional(OidcConstants.AuthorizeRequest.UiLocales, uiLocales);
+            values.AddOptional(OidcConstants.AuthorizeRequest.IdTokenHint, idTokenHint);
+            values.AddOptional(OidcConstants.AuthorizeRequest.RequestUri, requestUri);
+        }
 
         return request.Create(values.Merge(extra));
     }
 
@@ -76,6 +76,7 @@ protected override Task InitializeAsync(object? initializationData = null)
     public string? EndSessionEndpoint => TryGetString(OidcConstants.Discovery.EndSessionEndpoint);
     public string? CheckSessionIframe => TryGetString(OidcConstants.Discovery.CheckSessionIframe);
     public string? RegistrationEndpoint => TryGetString(OidcConstants.Discovery.RegistrationEndpoint);
+    public string? PushedAuthorizationRequestEndpoint => TryGetString(OidcConstants.Discovery.PushedAuthorizationRequestEndpoint);
     public bool? FrontChannelLogoutSupported => TryGetBoolean(OidcConstants.Discovery.FrontChannelLogoutSupported);
     public bool? FrontChannelLogoutSessionSupported => TryGetBoolean(OidcConstants.Discovery.FrontChannelLogoutSessionSupported);
     public IEnumerable<string> GrantTypesSupported => TryGetStringArray(OidcConstants.Discovery.GrantTypesSupported);
@@ -88,7 +89,8 @@ protected override Task InitializeAsync(object? initializationData = null)
     public IEnumerable<string> TokenEndpointAuthenticationMethodsSupported => TryGetStringArray(OidcConstants.Discovery.TokenEndpointAuthenticationMethodsSupported);
     public IEnumerable<string> BackchannelTokenDeliveryModesSupported => TryGetStringArray(OidcConstants.Discovery.BackchannelTokenDeliveryModesSupported);
     public bool? BackchannelUserCodeParameterSupported => TryGetBoolean(OidcConstants.Discovery.BackchannelUserCodeParameterSupported);
-    
+    public bool? RequirePushedAuthorizationRequests => TryGetBoolean(OidcConstants.Discovery.RequirePushedAuthorizationRequests);
+
     // generic
     public JsonElement TryGetValue(string name) => Json.TryGetValue(name);
     public string? TryGetString(string name) => Json.TryGetString(name);
 
@@ -129,7 +129,7 @@ public bool ContainsKey(string key)
     public void AddOptional(string key, string? value, bool allowDuplicates = false)
     {
         if (key.IsMissing()) throw new ArgumentNullException(nameof(key));
-            
+        if (value.IsMissing()) return;
         if (allowDuplicates == false)
         {
             if (ContainsKey(key))
@@ -138,42 +138,48 @@ public void AddOptional(string key, string? value, bool allowDuplicates = false)
             }
         }
 
-        if (value.IsPresent())
-        {
-            Add(key, value!);
-        }
+        Add(key, value!);
     }
 
     /// <summary>
-    /// Adds a required parameter
+    /// Ensures that a required parameter is present, adding it if necessary.
     /// </summary>
     /// <param name="key">The key.</param>
     /// <param name="value">The value.</param>
-    /// <param name="allowDuplicates">Allow multiple values of the same parameter.</param>
+    /// <param name="allowDuplicates">Allow multiple distinct values for a duplicated parameter key.</param>
     /// <param name="allowEmptyValue">Allow an empty value.</param>
     /// <exception cref="ArgumentNullException"></exception>
     /// <exception cref="InvalidOperationException"></exception>
     /// <exception cref="ArgumentException"></exception>
     public void AddRequired(string key, string? value, bool allowDuplicates = false, bool allowEmptyValue = false)
     {
         if (key.IsMissing()) throw new ArgumentNullException(nameof(key));
-            
-        if (allowDuplicates == false)
+
+        var valuePresent = value.IsPresent();
+        var parameterPresent = ContainsKey(key);
+
+        if(!valuePresent && !parameterPresent && !allowEmptyValue)
         {
-            if (ContainsKey(key))
+            // Don't throw if we have a value already in the parameters
+            // to make it more convenient for callers.
+            throw new ArgumentException("Parameter is required", key);
+        }
+        else if (valuePresent && parameterPresent && !allowDuplicates)
+        {
+            if(this[key].Contains(value))
             {
-                throw new InvalidOperationException($"Duplicate parameter: {key}");
+                // The parameters are already in the desired state (the required
+                // parameter key already has the specified value), so we don't
+                // throw an error
+                return;
             }
+            throw new InvalidOperationException($"Duplicate parameter: {key}");
         }
-            
-        if (value.IsPresent() || allowEmptyValue)
+
+        if (valuePresent || allowEmptyValue)
         {
             Add(key, value!);
         }
-        else
-        {
-            throw new ArgumentException("Parameter is required", key);
-        }
     }
 
     /// <summary>
 
@@ -0,0 +1,114 @@
+// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
+
+using System.Collections.Generic;
+
+namespace IdentityModel.Client;
+
+/// <summary>
+/// Models the parameters that can be pushed in a Pushed Authorization Request.
+/// </summary>
+/// <seealso cref="ProtocolRequest" />
+public class PushedAuthorizationRequest : ProtocolRequest
+{
+    /// <summary>
+    /// Gets or sets the response_type protocol parameter.
+    /// </summary>
+    public string? ResponseType { get; set; }
+    
+    /// <summary>
+    /// Gets or sets the scope protocol parameter.
+    /// </summary>
+    public string? Scope { get; set; }
+    
+    /// <summary>
+    /// Gets or sets the redirect_uri protocol parameter.
+    /// </summary>
+    public string? RedirectUri { get; set; }
+    
+    /// <summary>
+    /// Gets or sets the state protocol parameter.
+    /// </summary>
+    public string? State { get; set; }
+    
+    /// <summary>
+    /// Gets or sets the nonce protocol parameter.
+    /// </summary>
+    public string? Nonce { get; set; }
+    
+    /// <summary>
+    /// Gets or sets the login_hint protocol parameter.
+    /// </summary>
+    public string? LoginHint { get; set; }
+    
+    /// <summary>
+    /// Gets or sets the acr_values protocol parameter.
+    /// </summary>
+    public string? AcrValues { get; set; }
+    
+    /// <summary>
+    /// Gets or sets the prompt protocol parameter.
+    /// </summary>
+    public string? Prompt { get; set; }
+    
+    /// <summary>
+    /// Gets or sets the response_mode protocol parameter.
+    /// </summary>
+    public string? ResponseMode { get; set; }
+    
+    /// <summary>
+    /// Gets or sets the code_challenge protocol parameter.
+    /// </summary>
+    public string? CodeChallenge { get; set; }
+    
+    /// <summary>
+    /// Gets or sets the code_challenge_method protocol parameter.
+    /// </summary>
+    public string? CodeChallengeMethod { get; set; }
+    
+    /// <summary>
+    /// Gets or sets the display protocol parameter.
+    /// </summary>
+    public string? Display { get; set; }
+    
+    /// <summary>
+    /// Gets or sets the max_age protocol parameter.
+    /// </summary>
+    public int? MaxAge { get; set; }
+    
+    /// <summary>
+    /// Gets or sets the ui_locales protocol parameter.
+    /// </summary>
+    public string? UiLocales { get; set; }
+    
+    /// <summary>
+    /// Gets or sets the id_token_hint protocol parameter.
+    /// </summary>
+    public string? IdTokenHint { get; set; }
+    
+    /// <summary>
+    /// Gets or sets the resource protocol parameter.
+    /// </summary>
+    public ICollection<string> Resource { get; set; } = new HashSet<string>();
+    
+    /// <summary>
+    /// Gets or sets the dpop_jkt protocol parameter.
+    /// </summary>
+    public string? DPoPKeyThumbprint { get; set; }
+    
+    /// <summary>
+    /// Gets or sets the request protocol parameter.
+    /// </summary>
+    public string? Request { get; set; }
+
+    
+    /// <summary>
+    /// Copies properties from a request into a Parameters collection. 
+    /// </summary>
+    /// <param name="targetParameters">The parameters to copy into.</param>
+    public Parameters MergeInto(Parameters targetParameters)
+    {
+        
+        return targetParameters;
+    }
+}