1. As an administrator,
I want to have PKCE support in configure a custom OpenID Connect,
so Connect provider (Enterprise) against an IdP that I can connect mandates PKCE (RFC 7636) — e.g. EU Login / ECAS, issuer `https://ecas.acceptance.ec.europa.eu/cas/oauth2`, authorization-code flow, confidential client (`client_secret_basic`).
2. As an end user, start login: open `GET /auth/oidc`.
3. Inspect the 302 redirect to identity providers that enforce the usage of IdP `authorize` endpoint — examine its query string.
4. Authenticate at the IdP and observe the callback.
### What is the buggy behavior?
- The authorization request query string contains only `client_id`, `nonce`, `redirect_uri`, `response_type`, `scope`, `state` — **no `code_challenge` / `code_challenge_method`**.
- The IdP redirects to the callback with `error=invalid_request` and `error_description=Invalid request: Missing CodeChallenge (PKCE - RFC 7636)`. Login never completes.
- There is no env var and no Admin-UI field to enable PKCE.
###
###
### Acceptance criteria What is the expected behavior?
* - OpenProject supports should send a PKCE `code_challenge` (S256) on the authorization request when authenticating through OpenID Connect
configured to, so login succeeds against PKCE-mandatory IdPs — exposed both as an env var (`OPENPROJECT_OPENID__CONNECT_<provider>_PKCE`) and an Admin-UI toggle.
### Technical notes Root cause / proposed fix
* Depends - `omniauth-openid-connect` is pinned at 0.5.0 on an upgrade of `omniauth` 1.9.2 (opf forks); PKCE landed at gem 0.6.0. The provider model (`modules/openid_connect/app/models/openid_connect/provider.rb`) has no `pkce`/`code_challenge` attribute. Fix: add the underlying `omniauth-openid-connect` option and bump the gem
* either by updating OP's fork of it
* ... or by getting rid of (needs a newer omniauth than the fork