[ApiAuth] Switches back to use code+PKCE (#12375)

* Move SPA flows to use code + pkce
* Updates OIDC dependency to 1.9-beta1

Author: javiercn

src/Identity/ApiAuthorization.IdentityServer/samples/ApiAuthSample/Controllers/ConfigurationController.cs

@@ -0,0 +1,29 @@
+using Microsoft.AspNetCore.ApiAuthorization.IdentityServer;
+using Microsoft.AspNetCore.Mvc;
+
+namespace ApiAuthSample.Controllers
+{
+    public class ConfigurationController : ControllerBase
+    {
+        private readonly IClientRequestParametersProvider _clientRequestParametersProvider;
+
+        public ConfigurationController(IClientRequestParametersProvider clientRequestParametersProvider)
+        {
+            _clientRequestParametersProvider = clientRequestParametersProvider;
+        }
+
+        [HttpGet("/_configuration/{clientId}")]
+        public IActionResult GetClientParameters(string clientId)
+        {
+            var parameters = _clientRequestParametersProvider.GetClientParameters(HttpContext, clientId);
+            if (parameters == null)
+            {
+                return BadRequest($"Parameters for client '{clientId}' not found.");
+            }
+            else
+            {
+                return Ok(parameters);
+            }
+        }
+    }
+}

src/Identity/ApiAuthorization.IdentityServer/samples/ApiAuthSample/Pages/Index.cshtml

@@ -14,21 +14,15 @@
 </head>
 <body>
     <h1>ApiAuthSample SPA client</h1>
-    <button id="login">Login</button>
+    <button id="login" disabled>Login</button>
     <button id="logout" disabled>Logout</button>
     <button id="call-api" disabled>Call API</button>
     <div id="login-result"></div>
     <div id="api-result"></div>
     <script src="/js/oidc-client.js"></script>
-    <script id="apiauth" type="text/javascript" asp-apiauth-parameters="ApiAuthSampleSPA">
-        let $data = document.querySelector("#apiauth");
-        let configuration = {};
-        for (let key in $data.dataset) {
-            configuration[key] = $data.dataset[key];
-        }
-
-        let mgr = new Oidc.UserManager(configuration);
-    </script>
     <script src="js/app.js"></script>
+    <script id="apiauth" type="text/javascript">
+        initializeApplication();
+    </script>
 </body>
 </html>

src/Identity/ApiAuthorization.IdentityServer/samples/ApiAuthSample/wwwroot/js/app.js

@@ -1,4 +1,13 @@
-
+var ids = {
+    login: 'login',
+    logout: 'logout',
+    callApi: 'call-api',
+    loginResult: 'login-result',
+    apiResults: 'api-result'
+};
+
+let mgr = undefined;
+
 function invokeLogin() {
     // Redirects to the Authorization Server for sign in.
     return mgr.signinRedirect();
@@ -43,19 +52,14 @@ async function callApi() {
 
 // Code to update the UI
 
-if (window.location.hash) {
-    handleAuthorizationServerCallback();
-    window.location.hash = '';
+if (window.location.hash || window.location.search) {
+    initializeApplication()
+        .then(() => {
+            handleAuthorizationServerCallback();
+            window.location.hash = '';
+        });
 }
 
-let ids = {
-    login: 'login',
-    logout: 'logout',
-    callApi: 'call-api',
-    loginResult: 'login-result',
-    apiResults: 'api-result'
-};
-
 document.onreadystatechange = function () {
     if (document.readyState === 'complete') {
         let login = document.getElementById(ids.login);
@@ -68,6 +72,20 @@ document.onreadystatechange = function () {
     }
 };
 
+async function initializeApplication() {
+    const response = await fetch('_configuration/ApiAuthSampleSPA');
+    const configuration = await response.json();
+    mgr = new Oidc.UserManager(configuration);
+
+    enableLoginButton();
+
+    function enableLoginButton() {
+        const login = document.querySelector('#login');
+        login.disabled = false;
+    }
+}
+
+
 function updateUserUI(user, error) {
     let loginResults = document.getElementById(ids.loginResult);
     let heading = document.createElement('h2');