PKCE support for OAuth2

[feature-not-a-bug]

Feature request

My understanding is OAuth 2.1 will require PKCE, and this is the default mechanism for Keycloak and Zitadel.

https://datatracker.ietf.org/doc/html/rfc7636#section-4.1 contains the detailed spec, but the gist is to generate a random code_verifier value and a hashed code_challenge in lieu of storing a client secret in the app.

My expedient solution is to modify runOAuth2, authorizationUrl and tokenParams in a local fork and add crypton as a dependency but that's probably invasive for any existing users of the library.

[feature-not-a-bug]

Not worth creating a PR for general consumption, but in case someone needs a quick solution. feature-not-a-bug@6812718

Tested with Keycloak 26.4.5

[seanhess]

I think the solution is to create a hyperbole-oauth2 package which can depend on whatever it needs. If someone wants to work on this let me know!