Require PKCE for OAuth public clients

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

GitLab supports PKCE but currently clients don't have to use it. OAuth best practice is to require PKCE for public clients: https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-08.html#section-4.1.2.1

[Authorization server] MUST reject requests without a code_challenge from public clients

This protects against attacks such as authorization code injection.

This would be a breaking change.