Add ClientRegistration.codeChallengeMethod to Enable PKCE

[rwinch]

PKCE is recommended to prevent CSRF and authorization code injection attacks. We should further simplify enabling PKCE for Confidential Clients.

Current Behavior

The simplest Spring Boot application that requires PKCE is shown below:

@Bean
SecurityFilterChain springSecurity(HttpSecurity http, OAuth2AuthorizationRequestResolver resolver) throws Exception {
	http
		.authorizeHttpRequests( r -> r
			.anyRequest().authenticated()
		)
		.oauth2Login(l -> l
			.authorizationEndpoint(a -> a
				.authorizationRequestResolver(resolver)
			)
		);
	return http.build();
}

@Bean
OAuth2AuthorizationRequestResolver pkceResolver(ClientRegistrationRepository clientRegistrationRepository) {
	DefaultOAuth2AuthorizationRequestResolver resolver = 
		new DefaultOAuth2AuthorizationRequestResolver(clientRegistrationRepository,"/oauth2/authorization");
	resolver.setAuthorizationRequestCustomizer(OAuth2AuthorizationRequestCustomizers.withPkce());
	return resolver;
}

Shortcomings

This will be simplified to just a Bean declaration when gh-16380 is implemented, but this still has the following downsides:

• It is not discoverable from the configuration of a typical Spring Security application
• It is not declarative

For something that is considered a best security practice (rather than an edge case), we must do better.

Solution

I think what makes the most sense is adding a property ClientRegistration.codeChallengeMethod=S256 (default is null or disabled) similar to what was proposed in gh-12219.

Note that this is on the ClientRegistration because this is how Spring Security decides which grant type to use. If a single application has multiple grant types for the same provider (or different providers), then it is possible that PKCE is not even valid for a specific registration.

This also has the advantage of making it simple for users to define a property using Spring Boot to declaratively enable PKCE with Spring Security.

Previous Discussions

Perhaps this is no longer a problem, but I wanted to bring it up proactively. I know that this was previously declined because:

• PKCE is only applicable for authorization_code, so there was hesitation around introducing a PKCE property. I do not find this a valid argument. Spring Security already has properties that are only used for specific grant types and custom validation based upon the grant type. For example, the authorizationUri and tokenUri only make sense for the authorization_code grant type and not for client_credentials. A property for enabling PKCE is just another property, that is validated differently by the grant type.
• Enabling PKCE makes more sense with Spring Boot auto-configuration. However, Spring Boot rejected the proposal.
• There are concerns that PKCE may not be something that is configured per client. I'd argue that it needs to be per registration because this is how Spring Security decides which grant type to use. If a single application has multiple grant types for the same provider (or different providers), then it is possible that PKCE is not even valid for a specific registration.

cc @jgrandja @sjohnr