identity/oidc: Adds proof key for code exchange (PKCE) support

[austingebauer]

Overview

This PR adds proof key for code exchange (PKCE) support to OIDC providers. Details on PKCE are available in rfc7636.

The following table shows the behavior given various PKCE-related inputs. "Present" means that the parameter was provided to the API. "Absent" means the parameter was not provided to the API or is empty. Some of this behavior isn't defined by the RFC, so I'm flexible in changing it based on feedback.

This also adds the concept of public and confidential clients. Confidential clients are the default type and may use PKCE. Public clients do not have a client secret and are required to use PKCE.

Authorization Endpoint

code_challenge	code_challenge_method	behavior
Absent	Absent	PKCE not used
Absent	Present	PKCE not used
Present	Absent	PKCE used with default method from rfc7636 (plain)
Present	Present	PKCE used with given method

Token Endpoint

code_verifier	PKCE used in authorization	behavior
Absent	No	PKCE not used (code_verifier not verified)
Absent	Yes	invalid_request error
Present	No	invalid_request error
Present	Yes	code_verifier is verified using method

Testing

I've added tests that exercise PKCE using the hashicorp/cap OIDC client. I've also added some tests to verify that errors are returned when expected.

Documentation will follow in a separate PR.

[calvn]

Should there be a param on the OIDC provider config endpoint to enforce PKCE? Asking since there's an expected error in the spec if clients don't provide a code_challenge to a provider that requires it.

[calvn]

Looks great!

[fairclothjm]

Finally got around to this. LGTM!