sign-in does not check authorization-server code_challenges_supported

[ap0nia]

Environment

N/A

Reproduction URL

https://github.com/ap0nia/next-auth

Describe the issue

Summary
The getAuthorizationUrl function does not take into account the code_challenges_supported for OIDC providers.

Details
The code block here initializes a local variable as that gets assigned to instead of the as at the outer scope, defined here. This means that the check for as.code_challenges_supported will never execute here.

How to reproduce

1. Import MicrosoftEntraId provider.
2. Set clientId, clientSecret, tenantId.
3. Login with MicrosoftEntraId.
4. It works, but it shouldn't.

Microsoft Entra's OIDC discovery endpoint does not return a code_challenges_supported array, but it's supposed to return ['pkce'] because it's actually required.

Expected behavior

If the code logic is correct, then Microsoft Entra should actually throw an error upon login, because they do not return code_challenges_supported from their discovery endpoint, despite requiring it to login.

Ideally, both scenarios could co-exist - Microsoft Entra's discovery endpoint not matching the specification, but Auth.js still being able to handle the edge case somehow.

I think my solution would be to provide an authorizationServer to the OIDC config, where settings can be provided manually to "patch" non-compliant discovery endpoints.