oauth: Pushed Authorization Requests (RFC 9126)
Adds an optional par_endpoint to custom providers and an Oauth.Par
module covering the client side of PAR:
- Par.push form-encodes the same authorization parameters
authorization_url would have put in the query string, POSTs them to
par_endpoint under Client_auth, and parses the {request_uri,
expires_in} response. Accepts an optional dpop_proof for servers that
require DPoP on PAR (RFC 9449 §10).
- Par.authorization_url builds the minimal authorization URL carrying
only client_id and request_uri per RFC 9126 §4.
- Par.parse_response decodes the JSON response and distinguishes
missing request_uri, missing expires_in, bad HTTP status, and bad
JSON.
custom_provider now takes an optional ~par_endpoint which is HTTPS-
checked like the other URLs. Built-in providers (GitHub, Google,
GitLab) have no standard PAR endpoint so Par.push returns
No_par_endpoint for them.
8 new tests cover parse success, each parse error, push refusal without
an endpoint, the URL composition carrying only client_id+request_uri,
and HTTPS validation of par_endpoint.