add PKCE support

[hhaensel]

This PR fixes #12 by adding a keyword pkce to `flow_request_authorization_code()

Usage

Call flow_request_authorization_code(ctx; pkce = true)

Internal Flow

• OIDCCtx now contains a field code_verifiers to hold the verifiers that are generated during the code_challenge.
• flow_request_authorization_code(ctx; pkce = true) generates a pair of code_challenge and code_verifierand stores the latter in ctx.code_verifiers[state].
• flow_get_authorization_code(ctx, query) retrieves the code together with the state and checks whether a verifier is stored under the state. If so it appends the verifier to the code with a leading space character and deletes it from code_verifiers (This is safe as the space character is not allowed as part of the code.)
• flow_get_token(ctx, code) checks whether code contains an appended verifier, if so it sends it together with the token request.
• The purge_states!() method has been adapted to also purge the verifiers. (And it has been renamed due to inconsistency with and without exclamation mark.)

Miscellaneous

• Manifest.toml has been added to .gitignore
• Github actions have been updated
• bumped JWTs' compat to include v0.3

EDIT: adapted to the changed verfier handling

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

Attention: Patch coverage is 14.28571% with 24 lines in your changes missing coverage. Please review.

Project coverage is 42.85%. Comparing base (017806e) to head (da2b7bb).

Files with missing lines	Patch %	Lines
src/OpenIDConnect.jl	14.28%	24 Missing ⚠️

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@            Coverage Diff             @@
##           master      #17      +/-   ##
==========================================
- Coverage   50.45%   42.85%   -7.61%     
==========================================
  Files           1        1              
  Lines         109      133      +24     
==========================================
+ Hits           55       57       +2     
- Misses         54       76      +22     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[hhaensel]

BTW, I tested the code with two different servers with and without extra certificate.

[hhaensel]

Meanwhile, I am not so sure whether it's a clever idea to store the code and code_verifier in a global dict. Maybe it's better to append the verifier to the code and do a split inside flow_get_token. Let me try ...

[hhaensel]

Switched to concatenating code and code_verifier rather than storing it temporarily in ctx.
Ready to merge from my end

[hhaensel]

@tanmaykm would you mind reviewing this PR?

[tanmaykm]

Thanks @hhaensel . Will take a look!

[tanmaykm]

Looks good to me, except for a suggestion regarding the type of "code" returned from flow_get_authorization_code.

[tanmaykm]

Maybe we should have a new Code struct that can hold both code and code_verifier? There is a small chance that it may break code that assumes the returned code to be a string. But it seems much cleaner.

[hhaensel]

I had the same thoughts, but I didn't want it to be breaking. Then I verified that a space character is not part of the code (https://docs.unidy.io/technical-documentation/43Yox8946664zbsR6p9VyD/oidc-authorization-flow-requesting-an-authorization-code/4c2Hsrxi5YB8w2HScPWnjx), so I opted for the current solution.
If you are in favour of a type, say

struct Code
    code::String
    verifier::String
end

we could add

Base.convert(String, code::Code) = code.code

or

Base.convert(String, code::Code) = isempty(code.verifier) ? code.code : "$(code.code) $(code.verifier)"

which would avoid a part of breaking scenarios.

[tanmaykm]

Okay, thanks for explaining. Let's keep it as it is.