Add PAR (Pushed Authorization Request) support

[subhankarmaiti]

adds support for Pushed Authorization Request (PAR) flows where the backend-for-frontend (BFF) handles the /par and /token endpoints while the SDK manages the browser-based authorization.

Usage

// Callback style
WebAuthProvider.authorizeWithRequestUri(account)
    .start(context, requestUri, object : Callback<AuthorizationCode, AuthenticationException> {
        override fun onSuccess(result: AuthorizationCode) {
            // Exchange result.code for tokens via BFF
        }
        override fun onFailure(error: AuthenticationException) {
            // Handle error
        }
    })

// Coroutines
val authCode = WebAuthProvider.authorizeWithRequestUri(account)
    .await(context, requestUri)
// Exchange authCode.code for tokens via BFF

[Copilot]

Pull request overview

This PR adds support for Pushed Authorization Request (PAR) flows, enabling a Backend-for-Frontend (BFF) architecture where the backend handles sensitive OAuth operations (/par and /token endpoints) while the SDK manages browser-based authorization. The implementation returns authorization codes to the app for BFF token exchange instead of performing token exchange directly in the SDK.

• Introduces AuthorizationCode data class to encapsulate authorization codes and optional state parameters
• Adds PARCodeManager to handle PAR-specific authorization flows without PKCE or token exchange
• Extends WebAuthProvider with authorizeWithRequestUri() API and PARBuilder supporting both callback and coroutine patterns

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 10 comments.

Show a summary per file

File	Description
auth0/src/main/java/com/auth0/android/result/AuthorizationCode.kt	New data class to represent authorization code results with optional state parameter
auth0/src/main/java/com/auth0/android/provider/PARCodeManager.kt	New manager class implementing PAR flow logic, handling browser launch and callback processing
auth0/src/main/java/com/auth0/android/provider/WebAuthProvider.kt	Adds authorizeWithRequestUri() method and PARBuilder class with callback and coroutine-based APIs
auth0/src/test/java/com/auth0/android/provider/PARCodeManagerTest.kt	Comprehensive test suite covering PAR flow scenarios including success, error, and cancellation cases
EXAMPLES.md	Detailed documentation with usage examples for basic PAR and PAR with PKCE flows

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The parameter documentation says "for the app to exchange via BFF" which is slightly inaccurate. The authorization code is returned to the app, which then sends it to the BFF for token exchange. Consider rewording to: "for the app to send to the BFF for token exchange" for clarity.

[Copilot]

The code example for backend PKCE implementation is written in Kotlin, but this is meant to demonstrate backend code. Backend services often use different languages or frameworks. Consider clarifying that this is pseudocode or example logic that should be adapted to the backend's language/framework, or provide a language-agnostic description instead.

[Copilot]

The note says "The SDK only handles opening the browser with the request_uri" but this is slightly incomplete. The SDK also handles receiving the authorization code from the callback. Consider clarifying: "The SDK only handles opening the browser with the request_uri and returning the authorization code from the callback. Token exchange must be performed by your backend server which holds the client_secret."

Suggested change

	> The SDK only handles opening the browser with the `request_uri` and returning the authorization code. Token exchange must be performed by your backend server which holds the `client_secret`.
	> The SDK only handles opening the browser with the `request_uri` and returning the authorization code from the callback. Token exchange must be performed by your backend server which holds the `client_secret`.

[Copilot]

The test shouldResumeWithValidCode doesn't verify that the optional state parameter is properly captured and returned in the AuthorizationCode result. Add a test case that includes a state parameter in the callback to ensure the state field is properly extracted and returned, since the AuthorizationCode class includes an optional state property that should be tested.

[Copilot]

The test shouldResumeWithValidCode verifies success but doesn't verify that WebAuthProvider.managerInstance is cleared after successful completion. Add an assertion to ensure the manager instance is cleaned up after resume() returns true, consistent with how it's tested in WebAuthProviderTest (see shouldClearLogoutManagerInstanceAfterSuccessfulLogout). This prevents memory leaks and ensures proper cleanup of resources.

[Copilot]

The startAuthentication function should have an explicit visibility modifier. Following the pattern used in other Manager classes like LogoutManager (which uses 'fun startLogout'), consider marking this as 'internal fun' for consistency, since it's only called internally by the PARBuilder.

Suggested change

	fun startAuthentication(context: Context, requestCode: Int) {
	internal fun startAuthentication(context: Context, requestCode: Int) {

[Copilot]

The log message "The response didn't contain any values: code" is misleading. Unlike OAuthManager which logs "The response didn't contain any of these values: code, state", this PAR flow only requires the 'code' parameter. However, the check 'values.isEmpty()' is too broad - it will reject callbacks that have query parameters but are missing the code. Consider changing the log message to be more accurate (e.g., "The callback response is empty") or adjust the check to specifically validate for missing 'code' after checking for errors, similar to how it's done later in the function.

Suggested change

	Log.w(TAG, "The response didn't contain any values: code")
	Log.w(TAG, "The callback response is empty")

[Copilot]

The parameter documentation says "for the app to exchange via BFF" which is slightly inaccurate. The authorization code is returned to the app, which then sends it to the BFF for token exchange. Consider rewording to: "for the app to send to the BFF for token exchange" for clarity.

[Copilot]

The PARBuilder.await() method lacks test coverage. The PR includes comprehensive callback-based tests but no coroutine-based tests for the PAR flow. Add tests similar to how LogoutBuilder.await() is tested in WebAuthProviderTest.kt (see shouldResumeLogoutSuccessfullyWithCoroutines test) to ensure the coroutine-based API works correctly.

[pmathew92]

The PKCE flow is something that the backend handles in this scenario. The SDK doesn't play any role other than providing the authorization code. Mentioning the PKCE nuances can cause confusion to the users. Lets just keep it simple with the normal flow description

[pmathew92]

Lets just remove this section.

[pmathew92]

You have defined a property to define CustomTabOptions but no method in the PARBuilder for the user to provide one

[pmathew92]

Need to address the changes in the documentation