Even though the RP only supports the authorization code flow as a confidential client, it is still RECOMMENDED by the OAuth 2.0 Security best practices [1] to support PCKE [2]. We should add this as an option to the RP.
Added PKCE support. Can be enabled via the same profile configuration properties the OP uses e.g. idp.oidc.forcePKCE and idp.oidc.allowPKCEPlain . I guess this could cause an issue if the OP and RP are co-loaded and they wanted different settings. Of course, alternatively, you can just enable it as an RP override for the proxied OP.
Even though the RP only supports the authorization code flow as a confidential client, it is still RECOMMENDED by the OAuth 2.0 Security best practices [1] to support PCKE [2]. We should add this as an option to the RP.
[1] https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics
[2]https://datatracker.ietf.org/doc/html/rfc7636