Auth: Use PKCE by default (If OAuth provider supports PKCE)

[arukiidou]

What is this feature?

• Use PKCE by default (If Oauth provider supports)
  • Add use_pkce = true to defaults.ini
  • Add use_pkce = true to sample.ini

Why do we need this feature?

• PKCE is going to be a required part of OAuth 2.1 which means that in the near future it'll be something that'll be required by authorization servers.
• And some OAuth provider supports PKCE.
  • see Proof Key for Code Exchange: PKCE Challenge in Authorization_Code flow #22122
    • also see OAuth: Support PKCE #39948

Who is this feature for?

• Users who use an Oauth provider

Which issue(s) does this PR fix?:

• Fixes Auth: Use PKCE by default (If OAuth provider supports PKCE) #68073

Special notes for your reviewer:

• It is recommended that this be done during a major release.

• suggest labels

  • area/auth/oauth
  • breaking change Relevant for changelog generation
  • add to changelog
  • no-backport Skip backport of PR

• You can fallback to the previous behavior by setting environment variables

  • GF_AUTH_AZUREAD_USE_PKCE: false
  • GF_AUTH_GITLAB_USE_PKCE: false
  • GF_AUTH_GOOGLE_USE_PKCE: false
  • GF_AUTH_OKTA_USE_PKCE: false

• Github and Generic should not be changed yet(May not support PKCE).

screenshots(gitlab)

• if GF_AUTH_GITLAB_USE_PKCE not set, then use_pkce = true(default)

screenshots(okta)

• set GF_AUTH_OKTA_USE_PKCE: false, then use_pkce = false(override)

Please check that:

• It works as expected from a user's perspective.
• If this is a pre-GA feature, it is behind a feature toggle.
• The docs are updated, and if this is a notable improvement, it's added to our What's New doc.

[mgyongyosi]

Thanks @arukiidou for this PR. I tested it and it is working properly! 💯