"OAuth PKCE", which I, John Bradley (Ping), and Naveen Agarwal (Google) are credited as co-authors,[RFC 7636] It was originally called OAuth SPOP (Symmetric Proof of Possession), but since it was expanded to include more than just symmetric, it was renamed Proof Key for Code Exchange (PKCE, pixie = fairy), and is still used today.
This standard addresses the Code Interception Attack vulnerability of the Public Client of OAuth 2.0 [RFC6749] by generating an ephemeral key and using it to perform Proof of Possession of Key. It is backward compatible with RFC6749 and is easy to implement, so I think it would be best to use this standard from now on.
Eduardo GueirosMr,James MangerMr,Brian CampbellMr, Mike Jones,William DennisWe'd like to thank him and everyone who participated in working on the security aspects of this standard, as well as the OAuth working group, its chairs, area directors, and the IETF members who worked on the development of this standard.
We would like to add that OAuth PKCE has already been widely adopted in a certain company's video site app and other applications.
[RFC6749] Hardt, D.: The OAuth 2.0 Authorization Framework (2012), https://tools.ietf.org/html/rfc6749