PKCE (RFC 7636) is a MUST in RFC 8252 which lays out OAuth2 best practices for native applications. PKCE mitigates the risk of authorization code intercepting. PKCE is only relevant for OAuth2 "Authorization Code" flow, which is the only OAuth2 flow Qt supports out of the box. The S256 method is set as the default. Sending out the PKCE parameters should not cause harm even if the authorization server didn't support them. [ChangeLog][QOAuth2AuthorizationCodeFlow] Added PKCE support and turned it on by default Fixes: QTBUG-124327 Change-Id: Ic0242be1b8afcd9baa3ff071989d58ddabf753a2 Reviewed-by: Ivan Solovev <ivan.solovev@qt.io>