We need to support [PKCE](https://tools.ietf.org/html/rfc7636), which allows secure use of redirections by public clients where the redirection can be hijacked.
