support code_verifier/code_challenge in OAuth2

[WIGGLES-dev]

It is becoming an OAuth recommendation that state and code_verifier/code_challenge be used together to ensure that nobody can hijack your OAuth exchange code in server flows.

This simply allows you to pass your verifier to the oauth2 callback (it was literally impossible before) in case you need to. It is up to the user to generate your challenge and encode it.

This is an MVP for my use case so I am opening an issue and immediately opening a pull request for it.