Viktor Sinčák

This PR supports **code_challenge** parameter and **code_challenge_method** parameter to be saved with the authorization code. Then it supports validation of **code_verifier** when requesting access token. What is missing, **code_challenge** parameter...

Thank you for the feedback. Yes, I didn't find better solution for ignoring client_secret. As you stated, `requireClientAuthentication` is not good solution. In this implementation, you can pass client_secret in...

No, idea of PKCE describes technique to mitigate against the authorization code interception attack. I agree, that public clients should not use client_secret (as per rfc8252), but the server should...

Sorry, but there are many conflicts in the rebase process. Merging dev into this PR would be ok? I need to refactor authorize handler to resolve conflicts.

@mjsalinger done.

@yhc44 Do you want to use this feature in your SPA app? Because SPAs would not benefit from PKCE. PKCE is only useful in public native clients (mobile apps).

Look at the Authorization header. In your example from rfc, it's ``` Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW ``` After base64 decode it's ``` s6BhdRkqt3:gX1fBat3bV ``` So in this example, client_id is ```s6BhdRkqt3```...

Would you like to implement an Oauth 2 server with Express.js? If yes, I recommend this wrapper https://github.com/oauthjs/express-oauth-server

I agree with @mikelax . Refreshing access token is out of the scope of JWT. Check OAuth 2 Refresh token implementation: https://tools.ietf.org/html/rfc6749#section-1.5