Consider Enabling PKCE for Authorization Code by Default

[rwinch]

PKCE is recommended to prevent CSRF and authorization code injection attacks. We should consider enabling enabling PKCE for authorization_code flows by default to ensure we have secure defaults.

In order to ensure this goes as smoothly as possible, I think that we would need to:

• Ensure it is easy to disable in the event that it breaks users
• Align the Authorization Server

NOTE: This is a breaking change, so it would need to be done with Spring Security 7.0.

[kiruthiga1793]

Hi @rwinch I am interested in working on this issue. Can you please assign me?

[jornfranke]

Fully support this. This is also mandated by OAuth 2.1
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-12

The authorization code grant is extended with the functionality from PKCE [RFC7636] such that the default method of using the authorization code grant according to this specification requires the addition of the PKCE parameters