code_challenge_methods_supported field not in openid-configuration endpoint

[drunkcattt]

Expected Behavior
The code_challenge_methods_supported field should be included in the .well-known/openid-configuration endpoint.

Current Behavior
Currently, the code_challenge_methods_supported field is only available in the .well-known/oauth-authorization-server endpoint, However, we typically only use auto-discovery when using OIDC clients.

Context
In popular identity providers like Keycloak and Google (e.g., https://accounts.google.com/.well-known/openid-configuration), the code_challenge_methods_supported field is included in the openid endpoint. Some clients, such as the OAuth4WebAPI library (https://github.com/panva/oauth4webapi), also support this field.

[jgrandja]

Thanks for the report @drunkcattt. Would you be interested in submitting a PR for this enhancement?

In the meantime, you can customize the OpenID Connect 1.0 Provider Configuration Endpoint and add the code_challenge_methods_supported metadata. See providerConfigurationCustomizer() in the reference documentation.

[drunkcattt]

spring-authorization-server/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/CodeVerifierAuthenticator.java

Lines 140 to 158 in 0a87e78

	private boolean codeVerifierValid(String codeVerifier, String codeChallenge, String codeChallengeMethod) {
	if (!StringUtils.hasText(codeVerifier)) {
	return false;
	} else if ("S256".equals(codeChallengeMethod)) {
	try {
	MessageDigest md = MessageDigest.getInstance("SHA-256");
	byte[] digest = md.digest(codeVerifier.getBytes(StandardCharsets.US_ASCII));
	String encodedVerifier = Base64.getUrlEncoder().withoutPadding().encodeToString(digest);
	return encodedVerifier.equals(codeChallenge);
	} catch (NoSuchAlgorithmException ex) {
	// It is unlikely that SHA-256 is not available on the server. If it is not available,
	// there will likely be bigger issues as well. We default to SERVER_ERROR.
	throw new OAuth2AuthenticationException(OAuth2ErrorCodes.SERVER_ERROR);
	}
	}
	return false;
	}

#1329

According to the processing logic of the CodeVerifierAuthenticator, I have directly added .codeChallengeMethod("S256") to the OidcProviderConfigurationEndpointFilter, similar to the OAuth2AuthorizationServerMetadataEndpointFilter.