OIDC PKCE should be allowed with hybrid flow

[brockallen]

This line only allows the use of PKCE with code flow:

https://github.com/dotnet/aspnetcore/blob/master/src/Security/Authentication/OpenIdConnect/src/OpenIdConnectHandler.cs#L369

But PKCE can also be used with hybrid flow. Please allow that as well.

[kevinchalet]

By hybrid, I suppose you mean code id_token only and not code id_token token or code token?

Some implementations are known for blocking code id_token token or code token when using PKCE (it doesn't make much sense to force apps to use PKCE if an access token is returned straight from the authorization endpoint). Since UsePkce is set to true by default, it could be potentially breaking.

[scottbrady91]

Damn it, Brock: #10928 (comment)