feat!: support PKCE in the oauth2 client's auth/exchange flow (#21215)

**Breaking Change:** Existing oauth apps might now use PKCE. If an
unknown IdP type was being used, and it does not support PKCE, it will
break.

To fix, set the PKCE methods on the external auth to `none`
```
export CODER_EXTERNAL_AUTH_1_PKCE_METHODS=none
```

codersdk/deployment_test.go

@@ -396,27 +396,28 @@ func TestExternalAuthYAMLConfig(t *testing.T) {
 		return string(data)
 	}
 	githubCfg := codersdk.ExternalAuthConfig{
-		Type:                "github",
-		ClientID:            "client_id",
-		ClientSecret:        "client_secret",
-		ID:                  "id",
-		AuthURL:             "https://example.com/auth",
-		TokenURL:            "https://example.com/token",
-		ValidateURL:         "https://example.com/validate",
-		RevokeURL:           "https://example.com/revoke",
-		AppInstallURL:       "https://example.com/install",
-		AppInstallationsURL: "https://example.com/installations",
-		NoRefresh:           true,
-		Scopes:              []string{"user:email", "read:org"},
-		ExtraTokenKeys:      []string{"extra", "token"},
-		DeviceFlow:          true,
-		DeviceCodeURL:       "https://example.com/device",
-		Regex:               "^https://example.com/.*$",
-		DisplayName:         "GitHub",
-		DisplayIcon:         "/static/icons/github.svg",
-		MCPURL:              "https://api.githubcopilot.com/mcp/",
-		MCPToolAllowRegex:   ".*",
-		MCPToolDenyRegex:    "create_gist",
+		Type:                          "github",
+		ClientID:                      "client_id",
+		ClientSecret:                  "client_secret",
+		ID:                            "id",
+		AuthURL:                       "https://example.com/auth",
+		TokenURL:                      "https://example.com/token",
+		ValidateURL:                   "https://example.com/validate",
+		RevokeURL:                     "https://example.com/revoke",
+		AppInstallURL:                 "https://example.com/install",
+		AppInstallationsURL:           "https://example.com/installations",
+		NoRefresh:                     true,
+		Scopes:                        []string{"user:email", "read:org"},
+		ExtraTokenKeys:                []string{"extra", "token"},
+		DeviceFlow:                    true,
+		DeviceCodeURL:                 "https://example.com/device",
+		Regex:                         "^https://example.com/.*$",
+		DisplayName:                   "GitHub",
+		DisplayIcon:                   "/static/icons/github.svg",
+		MCPURL:                        "https://api.githubcopilot.com/mcp/",
+		MCPToolAllowRegex:             ".*",
+		MCPToolDenyRegex:              "create_gist",
+		CodeChallengeMethodsSupported: []string{"S256"},
 	}
 
 	// Input the github section twice for testing a slice of configs.