Add support for authorization code grant with PKCE for distributed apps

move handlers for code challenge from OIDC Authorization Controller to the base authorization controller, so that non-OIDC flows can leverage it as well

Add mechanism to enforce PKCE code challenges for public clients

Add mechanism to configure supported code challenge methods

change code_verifier comparison to use hash_equals() to avoid timing attacks

added tests for all PKCE code challenge flows