webadmin: remove the implicit flow

we now use pkce . main advantage is that we don't see the access token
in the url anymore.

in pkce, the auth code by itself is useless. need the verifier.

fixes #844

src/oidcserver.js

@@ -36,15 +36,14 @@ import mailpasswords from './mailpasswords.js';
 const { log, trace } = logger('oidcserver');
 
 
-// 1. Index.vue starts the OIDC flow by navigating to /openid/auth. Webadmin sets callback url to authcallback.html + implicit flow
+// 1. Index.vue starts the OIDC flow by navigating to /openid/auth. Webadmin uses authorization code flow with PKCE
 // 2. oidcserver starts an interaction and redirects to oidc_login.html
 // 3. oidc_login.html is rendered by renderInteractionPage() with the form submit url /interaction/:uid/login
 // 4. When form is submitted, it invokes interactionLogin(). This validates user creds
 // 5. We enter the scopes confirmation flow which is oidc_interaction_confirm.html rendered by renderInteractionPage()
 // 6. We have no concept of confirmation. The page auto-submits the form immediately without user interaction
 // 7. oidcserver calls interactionConfirm() which finishes it via interactionFinished().
-
-// FIXME: webadmin's implicit flow (response_type=code token) results in authcallback.html being called with access_token query param. We should remove this
+// 8. authcallback.html exchanges the authorization code for an access token via POST to /openid/token with code_verifier
 
 const ROUTE_PREFIX = '/openid';
 
@@ -719,8 +718,8 @@ async function start() {
             keys: [ cookieSecret ]
         },
         pkce: {
-            required: function pkceRequired(/*ctx, client*/) {
-                return false;
+            required: function pkceRequired(ctx, client) {
+                return client.clientId === 'cid-webadmin' || client.clientId === 'cid-development';
             }
         },
         clientBasedCORS(ctx, origin, client) {