diff --git a/pkg/openid/client/login.go b/pkg/openid/client/login.go
index 5e535f3..83709dc 100644
--- a/pkg/openid/client/login.go
+++ b/pkg/openid/client/login.go
@@ -7,7 +7,6 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
-	urllib "net/url"
 	"slices"
 	stringslib "strings"
 
@@ -129,25 +128,25 @@ func (c *Client) authCodeURL(ctx context.Context, authCodeParams openid.Authoriz
 			return "", fmt.Errorf("unmarshalling token response: %w", err)
 		}
 
-		// TODO: this can be a separate function to replace oauth2config.AuthCodeURL
-		v := urllib.Values{
-			"client_id":   {c.oauth2Config.ClientID},
-			"request_uri": {pushedAuthorizationResponse.RequestUri},
-		}
-		var buf bytes.Buffer
-		buf.WriteString(c.oauth2Config.Endpoint.AuthURL)
-		if stringslib.Contains(c.oauth2Config.Endpoint.AuthURL, "?") {
-			buf.WriteByte('&')
-		} else {
-			buf.WriteByte('?')
-		}
-		buf.WriteString(v.Encode())
-		return buf.String(), nil
+		return c.makeAuthCodeURL(openid.ParAuthorizationRequestParams(
+			c.oauth2Config.ClientID,
+			pushedAuthorizationResponse.RequestUri,
+		)), nil
 	}
 
-	opts := authCodeParams.RequestParams().AuthCodeOptions()
-	// TODO: replace with separate function
-	return c.oauth2Config.AuthCodeURL(authCodeParams.State, opts...), nil
+	return c.makeAuthCodeURL(authCodeParams.RequestParams()), nil
+}
+
+func (c *Client) makeAuthCodeURL(params openid.RequestParams) string {
+	var buf bytes.Buffer
+	buf.WriteString(c.oauth2Config.Endpoint.AuthURL)
+	if stringslib.Contains(c.oauth2Config.Endpoint.AuthURL, "?") {
+		buf.WriteByte('&')
+	} else {
+		buf.WriteByte('?')
+	}
+	buf.WriteString(params.URLValues().Encode())
+	return buf.String()
 }
 
 func (l *Login) SetCookie(w http.ResponseWriter, opts cookie.Options, crypter crypto.Crypter, canonicalRedirect string) error {
diff --git a/pkg/openid/oauth2.go b/pkg/openid/oauth2.go
index 151522e..00f5662 100644
--- a/pkg/openid/oauth2.go
+++ b/pkg/openid/oauth2.go
@@ -164,6 +164,15 @@ func RefreshGrantParams(clientID, refreshToken string) RequestParams {
 	}
 }
 
+// ParAuthorizationRequestParams returns a map of parameters to be sent to the authorization server when using the
+// authorization endpoint after performing a Pushed Authorization Request (PAR) as defined in RFC 9126, section 4.
+func ParAuthorizationRequestParams(clientID, requestUri string) RequestParams {
+	return RequestParams{
+		"client_id":   clientID,
+		"request_uri": requestUri,
+	}
+}
+
 func StateMismatchError(queryParams url.Values, expectedState string) error {
 	actualState := queryParams.Get("state")