Adopt PKCE

[aaronpk]

PKCE is very useful, especially for clients that don't have a client secret, which is all IndieAuth clients. We should include this in the spec so that every IndieAuth client and server does PKCE by default.

[tbhb]

~Currently adding this to tonyburns.net via Singulus (https://github.com/craftyphotons/singulus/tree/pkce and https://github.com/doorkeeper-gem/doorkeeper/wiki/Using-PKCE-flow)~

Turns out this was trivial to implement with Doorkeeper for Singulus and was just a matter of adding the columns for it in the grants table.

[aaronpk]

This was discussed at the IndieAuth Popup Session, and the outcome of the discussion was:

• Good idea to add this since it's a security feature that applies to IndieAuth clients (all IndieAuth clients are considered public OAuth clients)
• Require S256 algorithm
• The text to add to the spec to do this is much simpler once #42 and #44 are removed
• For backwards compatibility, IndieAuth servers will need to support non-PKCE clients. If the auth code request contains a code_challenge then the token request MUST include code_verifier. If the auth code request does not contain code_challenge, the token request MUST NOT include a code_verifier.