Fix PKCE Oauth2 exchange

[mmmorris1975]

Providers like Okta and AWS Cognito expect that the PKCE challenge
uses base64 URL Encoding without any padding (base64.RawURLEncoding)

Additionally, Okta strictly adheres to section 4.2 of RFC 7636 and
requires that the unencoded key for the PKCE data is at least 43
characters in length.

[hashicorp-cla]

All committers have signed the CLA.

[codecov]

Codecov Report

Merging #24858 into master will increase coverage by 0.00%.
The diff coverage is 100.00%.

Impacted Files	Coverage Δ
command/login.go	48.40% <100.00%> (+0.12%)	⬆️
terraform/evaluate.go	53.60% <0.00%> (+0.90%)	⬆️
dag/marshal.go	53.40% <0.00%> (+1.13%)	⬆️

[danieldreier]

Thanks @mmmorris1975! If you update your commit message to include "fixes #24858" that will close the issue automatically when this is merged.

[mmmorris1975]

I gave it a quick run against TF Cloud, and all seemed to work as expected. Output show in this gist

[apparentlymart]

Hi @mmmorris1975! Thanks for working on this.

We had previously seen this working but I expect that's because previously the challenge had a length that didn't require base64 padding and so it didn't encounter this problem.

With that said, this fix looks good to me and I was able to reproduce the testing with Terraform Cloud and with a minimal Amazon Cognito configuration, and so I'm going to merge this. I have not re-verified with Okta because I don't currently have a usable Okta account to test with, but I can see that this change does indeed make Terraform's implementation match the details of the RFC.

Thanks again!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.