In Section 12.1.1.2., the specification describes automatic RP registration using Pushed Authorization Requests.
The first sentence reads "... interoperable way to push a Request Object directly to the AS ...", and Section 12.1.1.2.1. on processing such a request states:
The requirements specified in Section 12.1.1.1.2 also apply to Pushed Authorization Requests [RFC9126].
Once the OP has the RP's metadata, it MUST verify [...] the signature of the Request Object ...
So far, this sounds like automatic registration with PAR requires the use of a Request Object.
However, the example request in Figure 47 uses "plain" PAR parameters.
Furthermore, Section 12.1.1.2.1. on processing PAR requests lists some client authentication methods and states that OP must use the keys published by RP for the openid_relying_party Entity Type.
Such client authentication seems to only make sense when NOT using a (signed) Request Object.
I.e., it sounds like with PAR, using a Request Object is optional (which is also signaled through the headings of the respective sections: "Using a Request Object" and "Using Pushed Authorization").
My best guess is that with PAR, using a Request Object is indeed optional, but as explained above, this remains somewhat unclear to me.
In Section 12.1.1.2., the specification describes automatic RP registration using Pushed Authorization Requests.
The first sentence reads "... interoperable way to push a Request Object directly to the AS ...", and Section 12.1.1.2.1. on processing such a request states:
Said Section 12.1.1.1.2 in turn says
So far, this sounds like automatic registration with PAR requires the use of a Request Object.
However, the example request in Figure 47 uses "plain" PAR parameters. Furthermore, Section 12.1.1.2.1. on processing PAR requests lists some client authentication methods and states that OP must use the keys published by RP for the
openid_relying_party
Entity Type. Such client authentication seems to only make sense when NOT using a (signed) Request Object. I.e., it sounds like with PAR, using a Request Object is optional (which is also signaled through the headings of the respective sections: "Using a Request Object" and "Using Pushed Authorization").My best guess is that with PAR, using a Request Object is indeed optional, but as explained above, this remains somewhat unclear to me.