Update OIDC login to add support for PKCE

[paulmillar]

dCacheView currently uses implicit flow to obtain an access token from the OP.

Implicit flow has several known problems. These are principally related to the complexity of the web-browser and the JavaScript library ecosphere.

PKCE is defined in RFC 7636. authorization code interception attack

OAuth 2.0 public clients utilizing the Authorization Code Grant are
susceptible to the authorization code interception attack. This
specification describes the attack as well as a technique to mitigate
against the threat through the use of Proof Key for Code Exchange
(PKCE, pronounced "pixy").

Opinion is somewhat divided: some people suggest that if the risks of using implicit flow are understood and acceptable then PKCE provides limited benefits (new projects should use PKCE but existing code using implicit flow is OK.). Others say that PKCE should always be used because it guards against certain attack vectors.

From my experience operating with large infrastructures (Helmholtz ID, EGI CheckIn), dCacheView's use of implicit flow is inconvenient. OPs seem to have implicit flow disabled by default. This means there is an additional, administrative step (requesting implicit flow is enabled) when adding support for federated login with dCacheView.

Adopting PXCE would allow dCacheView to use an authentication flow that OPs more readily support -- although this hasn't been tested.

Here are some articles advocating PKCE adoption:

https://christianlydemann.com/implicit-flow-vs-code-flow-with-pkce/
https://dropbox.tech/developers/pkce--what-and-why-