Implement oAuth2 Authorization Code Grant Type With PKCE

[moshthepitt]

Currently, public clients (like javascript apps with no backend) are forced to use the implicit grant type when doing oAuth2 with an OpenSRP server as the provider.

However, it is generally not recommended to use the implicit flow (and some servers prohibit this flow entirely). In the time since the spec was originally written, the industry best practice has changed to recommend that public clients should use the authorization code flow with the PKCE extension instead.

The OAuth 2.0 Security Best Current Practice document recommends against using the Implicit flow entirely, and OAuth 2.0 for Browser-Based Apps describes the technique of using the authorization code flow with PKCE.

We should implement the PKCE extension to make this possible.

[moshthepitt]

More info https://oauth.net/2/grant-types/implicit/

[moshthepitt]

More on PKCE: https://tools.ietf.org/html/rfc7636

[githengi]

This can be implemented once PKCE is implemented on Spring security. Adding the GitHub issues that track that effort.
https://github.com/spring-projects/spring-security/issues/4943 https://github.com/spring-projects/spring-security/issues/6320

This is also dependent on the OpenSRP server spring upgrade