Expose OpenIdConnectOptions.PushedAuthorizationBehavior config on OktaMvcOptions

[gao-artur]

Describe the feature request?

Please expose OpenIdConnectOptions.PushedAuthorizationBehavior config on OktaMvcOptions (available since .NET 9).

.NET Version

9.0.8

Provide a documentation link if applicable

https://developer.okta.com/docs/api/openapi/okta-oauth/oauth/tag/CustomAS/#tag/CustomAS/operation/authorizeCustomASWithPost

https://developer.okta.com/docs/api/openapi/okta-oauth/oauth/tag/CustomAS/#tag/CustomAS/operation/parCustomAS

Additional Information?

For context:
We are using a self-hosted login page with an Authorization Code with PKCE flow. Our login flow looks as follows:

1. UI sends user credentials to /authn endpoint
2. UI sends session_token received in step 1 to the backend service
3. BE service redirects to /authorize endpoint with all required parameters, including session_token
4. Okta makes its verifications and redirects back to BE
5. continue the flow...

After upgrading Okta Identity Engine, the flow has changed. After receiving the session_token from the UI, the BE calls /par endpoint with the session_token that is eventually ignored by Okta. After that, BE redirects to /authorize endpoint with request_uri=urn:okta:xxxxxx. However, instead of redirecting back to the BE service, Okta displays its login screen, forcing the user to authenticate for a second time.

The default of PushedAuthorizationBehavior is UseIfAvailable, and since Okta added pushed_authorization_request_endpoint to the discovery API after the Identity Engine upgrade, this caused the behaviour to change.

The only solution to preserve the old UX is to disable PAR. As a workaround, we do that like this

services.Configure<OpenIdConnectOptions>(
   "OpenIdConnect",
   options => options.PushedAuthorizationBehavior = PushedAuthorizationBehavior.Disable);

But having a property on OktaMvcOptions will make it simpler.