Started this with the goal of updating websignin to the latest version of the specification. It now supports PKCE, uses the code flow, and can use the metadata endpoint and therefore supports issuer verification for additional security.
While testing this, discovered that while all the PKCE tests passed, the system was not properly redirecting them, so since we still accept non PKCE flows, it was letting it through as if it wasn't there. Fixed that here.
Also changed the notice to show when PKCE isn't being used, as opposed to used.
Started this with the goal of updating websignin to the latest version of the specification. It now supports PKCE, uses the code flow, and can use the metadata endpoint and therefore supports issuer verification for additional security.
While testing this, discovered that while all the PKCE tests passed, the system was not properly redirecting them, so since we still accept non PKCE flows, it was letting it through as if it wasn't there. Fixed that here.
Also changed the notice to show when PKCE isn't being used, as opposed to used.