Issue #3266205: Add PKCE flow capabilities for eligible clients (!59) · Merge requests · project / openid_connect

What / Why

Add PKCE authorization flow support for eligible clients: Google, Okta, Generic.
Add PKCE related settings to the Client base class and update the config schema. This allows individual clients to declare that they are compatible and enable using PKCE as part of the authorization flow.
- Allow selecting S256 and plain code_challenge transformation methods per https://www.rfc-editor.org/rfc/rfc7636#section-4.2. Use S256 as a good default but allow plain as it is supported by some providers like Google
Rename ::getUrlOptions to ::getAuthorizeRequestOptions to reflect the usage and add logic to add/store the code_verifier value and add the code_challenge value
- Use this method again in ::authorize, it was unused
- Use random_bytes to generate the verifier value for cryptographic randomness
Rename ::getRequestOptions to ::getTokenRequestOptions to reflect the usage and add logic to add the stored code_verifier
Fix a small grammar error with double "the"s

Edited Oct 24, 2022 by Gary Gao