Add PKCE support in OIDC & OAuth

[Tratcher]

#7734 (Best reviewed with Ignore Whitespace due to formatting improvements).

I've also cleaned up the samples quite a bit and added IdentityServer to them.

Considerations:

• For OIDC how important is it to scope PKCE to only code flow? Why not use it for everything? @brockallen @leastprivilege
• I've enabled this by default for OIDC. Tested with ADD and IdentityServer. Servers that don't support it should silently ignore it.
• I have not enabled it by default for OAuth. Only MSA and IdentityServer supported it, and OAuth servers tend to be far less standards compliant. Individual providers can opt-in.
• This required an API breaking change for OAuth and we know of at least 9 providers in aspnet-contrib that will have to update. @PinpointTownes
  • Note all of these providers were already broken by the Json changes, the update is still in progress: https://github.com/aspnet-contrib/AspNet.Security.OAuth.Providers/pull/280/files
  • https://github.com/aspnet/AspNetCore/pull/9448/files will no longer require a breaking change.
• This doubles the size of the State for OAuth and OIDC, which may contribute to long url issues.

[brockallen]

For OIDC how important is it to scope PKCE to only code flow? Why not use it for everything?

implicit there is no use of the token endpoint, thus no need.
hybrid uses the nonce and c_hash from the spec as the protection, so that's redundant (albeit more complicated for the client).

[kevinchalet]

This required an API breaking change for OAuth and we know of at least 9 providers in aspnet-contrib that will have to update. @PinpointTownes

@martincostello more breaking changes for your PR 😄

I have not enabled it by default for OAuth. Only MSA and IdentityServer supported it, and OAuth servers tend to be far less standards compliant. Individual providers can opt-in.

Sounds safer, indeed 😄