Is your feature request related to a problem?

In the light of the new IETF related to OAuth 2.0 for Browser-Based Apps (see 4. Overview), an application running in a browser and using the Authorization Code flow should be using PKCE (Proof Key for Code Exchange) for increased security. It is not the case currently with swagger-ui. This article by Brock Allen also touches on the subject.

Describe the solution you'd like

Everytime the authorizationCode flow is used (these are based on the PKCE IETF linked above):

1. A code_verifier is generated (potentially using uuid4 like they do in oidc-client-js). This value needs to stored somewhere because it needs to be sent on the Token request (looking at the code, I figured win.swaggerUIRedirectOauth2 would be the right place to store this).
2. Create the code_challenge for the code_verifier (hashed using SHA256) and send this on the Authorize request alongside the code_challenge_method.

Describe alternatives you've considered

• I've considered using additionalQueryStringParams to feed in the code_verifier and the code_challenge, but these values need to be generated on each authorize request.
• I've considered using the Inject JavaScript functionality, but I feel like I would be replacing whole methods from swagger-ui which would bind me to a certain version of the code.

Additional context

I feel this is something that should be introduced into swagger-ui because of the added security it provides. Everybody would and should benefit from it.