Add support for 'Authorization Code Grant with PKCE'

[lyoung-confluent]

IAM Identity Center has added support for an authorization_code grant instead of the device_code grant which provides a smoother user experience. The documentation on this is (in keeping with tradition w/AWS SSO) extremely minimal/missing altogether but I found some pretty decent comments inside the aws-toolkit-vscode repository.

You can test out the flow yourself by installing the AWS Visual Studio Code Plug-In and authenticating using the "Workforce" option. Under the hood the extension calls RegisterClient using parameters roughly like this (I've removed the codewhisper scopes):

aws --region us-west-2 sso-oidc register-client --client-name 'AWS IDE Extensions for VSCode' --client-type public --grant-types authorization_code --redirect-uris http://127.0.0.1:50383/oauth/callback --issuer-url https://d-123456.awsapps.com/start --scopes sso:account:access

It then constructs an "authorization" URL which looks like this and opens it in the user's browser:

https://oidc.us-west-2.amazonaws.com/authorize?response_type=code&client_id=<removed>&redirect_uri=http://127.0.0.1:56369/oauth/callback&scopes=sso:account:access&state=552998d0-4b83-44c3-b022-aa02005a7bd9&code_challenge=CaN1lc6CfmPsJSrYcVa68HdoA1fQIeI5Een_1a9sVA0&code_challenge_method=S256

This page skips the "device code" workflow directly landing the user on a consent screen:

After approving the user sees this message:

Internally, VSCode will take the token (sent to http://127.0.0.1:56369/oauth/callback) and exchange it using the same CreateToken API using the code and codeVerifier parameters instead of the deviceCode parameter.

From my testing the clientName can be adjusted to something like "Granted CLI" and the redirect URI can be adjusted to any localhost port however it must be in the exact form of http://127.0.0.1:<port>/oauth/callback or it will be rejected during the registration call.