Support for PKCE in server

If a client sends a `code_verifier` to the /authorize endpoint, then the /token endpoint should require it (in a different form) in the token request that acompanies the auth code. This is to mitigate attacks on mobile clients (which we don't support, but we do expect perhaps to be used with our server endpoints): https://www.rfc-editor.org/rfc/rfc7636.txt.
