I have a use case where the server must accept authorization requests only when they contain a signed request object (should be configurable per client).
The server must only accept a request object entered by value, and not by reference.
I have implemented a way to configure if a client:
- doesn't need to provide a request object
- needs to provide a request object in either the 'request' or the 'request_uri' param
- needs to provide a request in the 'request' param
- needs to provide a request in the 'request_uri' param