Support PKCE (RFC 7636)

[alex-ng-wesoft]

Per the current OAuth 2.0 Security Best Current Practice:

Clients MUST prevent injection (replay) of authorization codes into
the authorization response by attackers.  Public clients MUST use
PKCE [RFC7636] to this end.  For confidential clients, the use of
PKCE [RFC7636] is RECOMMENDED.

It would be nice for this library to implement PKCE so the best current practice is followed.
In addition, the current OAuth 2.1 draft requires PKCE, so implementing support now would make supporting OAuth 2.1 easier in the future (if desired).

Anyways, thanks for the work so far on the library!

[alex-ng-wesoft]

FWIW I have already implemented PKCE support for Azure AD in a local project, and I'm willing to upstream the applicable parts if it helps.
Note that if I do upstream the changes I will limit support to just AAD since I'm not in a position to test all the other providers.