Enhanced PKCE Validation in OAuth 2.0 Authorization Code Flow

[vamsii777]

In response to an issue raised by @mynona, I have implemented significant improvements to the PKCE (Proof Key for Code Exchange) validation within the OAuth 2.0 authorization code flow in the Vapor OAuth library. This update aligns our implementation more closely with OAuth 2.0 standards, particularly in the handling of PKCE for public client scenarios.

Changes

• PKCE Validation Logic: I have updated the PKCEValidator to enforce strict validation of PKCE parameters. Now, if a codeChallenge is provided during the authorization request, the corresponding codeVerifier becomes mandatory during the token exchange. This enhancement prevents the possibility of bypassing PKCE validation when it's crucial.
• Refined CodeValidator: The CodeValidator has been modified to utilize the enhanced PKCEValidator. This change ensures that the validation of authorization codes robustly includes PKCE verification, thereby enhancing the security of the authorization process.
• Compliance with Standards: These changes ensure that our library adheres to the OAuth 2.0 standards for PKCE, thus enhancing the robustness and security of our OAuth process, especially for public clients.

Rationale

Following the issue highlighted by @mynona, I recognized the importance of implementing strict PKCE validation. This step is key in bolstering the security measures of our OAuth implementation, significantly reducing the risk of authorization code interception attacks, a notable concern in public client scenarios.

Testing and Compatibility

• I have added comprehensive tests to cover the new validation logic.
• These changes maintain backward compatibility with existing OAuth flows while enforcing stricter security where needed.

[vamsii777]

This merged PR #6 delivers enhanced PKCE validation, aligning with our broader goal of implementing OpenID Connect for a more secure and streamlined user experience #3