Describe the bug

When trying to make a pushed authorization request with a public client an authentication error is returned.

curl -vvv "https://xxx/auth/realms/main/protocol/openid-connect/ext/par/request" -H "Content-Type: application/x-www-form-urlencoded" -d "client_id=browser-test" -d "response_type=code" -d "redirect_uri=https%3A%2F%2Flocalhost" -d "state=12345" -d "nonce=12345" -d "scope=openid"

{"error":"invalid_request","error_description":"Authentication failed."}

https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/protocol/oidc/par/endpoints/AbstractParEndpoint.java#L77

For a confidential client the authorization header is added and the endpoint returns a request_uri successfully.

Version

15.0.2

Expected behavior

A response with the request_uri is returned for a public client.

Actual behavior

An error response is returned when no authorization header is provided.

How to Reproduce?

1. create a new client
2. configure to be public
3. configure a return url
4. make a request to the PAR endpoint with all known parameters like client_id, response_type, redirect_uri, state, nonce, scope

Anything else?

Error handling for the PAR logic seems to be sub-par since it seems like all the nice exceptions are just hidden behind the "authentication failed" one :)