Ensure force PKCE always forces PKCE, fixes #1654

[ThisIsMissEm]

Summary

Previously force_pkce option could be bypassed if the client was confidential, that's no longer the case with the Security Practices BCP, which recommends PKCE for all clients.

Fixes #1654

This is technically a breaking change

Other Information

We could perhaps simplify the tests a little, but I'm not sure that's necessary right now.

[nbulaj]

LGTM, thanks

[gkemmey]

how does this affect implementations currently forcing public apps to use pkce, but not confidential ones? unless i'm misunderstanding, this is a breaking change i'd have to pass on to third-party integrators, or disable the force_pkce option entirely.

[ThisIsMissEm]

how does this affect implementations currently forcing public apps to use pkce, but not confidential ones? unless i'm misunderstanding, this is a breaking change i'd have to pass on to third-party integrators, or disable the force_pkce option entirely.

@gkemmey This would be a breaking change, in which case, I'd recommend disabling force_pkce and then introducing it again to your ecosystem. I'd be hesitant to add a block invocation for force_pkce when it should really be an "on" or "off" option. Keep in mind, that the OAuth 2.1 and OAuth Security Current Best Practices strongly recommend PKCE for all authorization code requests due to the volume of security issues that PKCE fixes.

Keep in mind this would not affect client credentials grant flow, only authorization code grant flow.

[molawson]

I'd be hesitant to add a block invocation for force_pkce when it should really be an "on" or "off" option.

@ThisIsMissEm Can you say a little more about this perspective? While I love the idea of moving more providers and clients in the direction of the most secure methods of operation available, having some in-between functionality (i.e. a "partially on" state as the code works prior to this change) seems hugely beneficial for enabling apps to move in this more secure direction incrementally. I understand that's not ideal and makes for more code to maintain (I love the simplicity of this change!), but there seems like a reasonable amount of upside to that incremental/layered approach.

[ThisIsMissEm]

If anything, we'd add a require_pkce_for block, but force_pkce should always be all clients or none, you can't partially "force" something.

So like:

require_pkce_for { |client, server|  ... }

Or something (you wouldn't have the grant type in here, because it's only authorization_code where this is relevant).

But you could probably also do this with a custom extension, I think, in like the PreAuth code?