Add JAR support

[leastprivilege]

This PR changes the request object logic to be compatible with both OIDC ROs and JAR

[steinarnoem]

Have you decided on whether or not to handle the "very-special-case" of symmetrically encrypted ROs in a JAR request without OAuth 2.0 parameters (iow: no client_id)?

[leastprivilege]

I support both client_id inside only - or in and outside the RO. But inside always takes precedence. And all inside values overwrite the outside values (if that makes sense).

[steinarnoem]

That is good! But I was referring to the case where there are no OAuth parameters (outside the RO) and the RO, for some unknown reason, is encrypted using a symmetric crypto algorithm. How would you find the correct key to decrypt?
I don't really think that it's a probable scenario, but maybe something that should be explicitly mentioned in the docs? Or just: "use the RAR endpoint to ensure confidentiality" :)

[leastprivilege]

Well - this would not work. If it is symmetrically encrypted then the client_id needs to be outside the RO (but must match the one inside).

But that all hypothetical since we don't support encrypted ROs ;)

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.