I stumbled upon OpenIddict and after going through a few example server code, I could not find what I was looking for. I was hoping to see an example of OpenIddict using auth code flow with PKCE, since that seems to be the recommended approach toward security now, but could not find one using both explicitly. My app is a ASP.NET Core WebAPI based app, with a React client. Any help or guidance would be appreciated.
PKCE in OpenIddict works like in any other OIDC server: you just have to send a code_challenge (and optionally a code_challenge_method) when building your authorization request.
If you do that, OpenIddict will store it in the authorization code ticket and will compare it to the code_verifier you send as part of the token request. If you don't send a code verifier, the token request will be automatically rejected.
In 3.0, we'll introduce an option allowing to reject authorization requests that don't use PKCE so that you can force your clients to use PKCE.