Add support to PKCE in OIDC connector

[johnvan7]

Overview

This PR adds support for PKCE in the OIDC connector.

PKCE (Proof Key for Code Exchange) - RFC 7636 - is an extension to the Authorization Code flow to prevent CSRF (Cross-Site Request Forgery) and authorization code injection attacks.

PKCE Flow

                                             +-------------------+
                                             | Upstream Connector|
   +--------+                                | +---------------+ |
   |        |--(A)- Authorization Request ---->|               | |
   |        |       + t(code_verifier), t_m  | | Authorization | |
   |        |                                | |    Endpoint   | |
   |        |<-(B)---- Authorization Code -----|               | |
   |        |                                | +---------------+ |
   |   dex  |                                |                   |
   |        |                                | +---------------+ |
   |        |--(C)-- Access Token Request ---->|               | |
   |        |          + code_verifier       | |    Token      | |
   |        |                                | |   Endpoint    | |
   |        |<-(D)------ Access Token ---------|               | |
   +--------+                                | +---------------+ |
                                             +-------------------+

The PKCE flow requires a code challenge to be passed to the authorization endpoint and a code verifier to be sent to the token endpoint.

What this PR does / why we need it

Dex currently does not support PKCE flow for upstream OIDC providers.
However, some identity providers (IdPs) require PKCE flow support to complete the authentication process.

Key features

• It uses dynamic configuration through OAuth2 discovery metadata (supports S256 and plain).
• It is possible (but optional) to specify an algorithm to use in the PKCEChallenge key of the connector's config.
• The generated code is saved in the connectorData of the auth request in the database, allowing the management of multiple PKCE connections simultaneously across multiple running instances of dex.

Does this PR introduce a user-facing change?

• Adds the optional PKCEChallenge configuration option to the OIDC connector to specify an algorithm to use in the PKCE flow.

Special notes for your reviewer

Related PRs:

• feat: Support PKCE in OIDC connector #3188
• feat:Add support for Public OIDC Providers #3195
• feat: Introducing client_credentials grant | PKCE challenge to the authorization code flow #3162
• Return connector state from LoginURL() and pass it to HandleCallback() #2041

Related discussions:

• PKCE with OIDC Connector #2253
• PKCE for connectors? #3741

[ClaudioNTT]

I've tested the PR, and it works as expected, using the PKCE flow with OAuth0 and PingFederate
@nabokihms @johnvan7 @cameronbrunner

[kratosmat]

Hi Giovanni,
I hope you receive the approval, we also need this feature, thanks a lot.

[nabokihms]

Could you also please sign your commits? DCO will not pass otherwise

[johnvan7]

@nabokihms I've done the requested changes and signed my commits.
I've added pkceVerifierCache to handle multiple concurrent connections, inspired by PR #3195.

[nabokihms]

@johnvan7 could you please investigate the issue with tests and the lint?

[johnvan7]

@nabokihms could you please restart workflows?
It should be fixed

[nabokihms]

@sagikazarmark could you please take a look? There is an important change to the rock solid interface. Are you OK with this?