Clarify the PKCE mechanism

[dickhardt]

intro paragraph in the 4.1.1 (2nd paragraph) define code_verifier and code_challenge and refer to a new section on how it works and reference the exception for OpenID Connect

change

REQUIRED or RECOMMENDED (see [Section 7.5.1](https://drafts.oauth.net/oauth-v2-1/draft-ietf-oauth-v2-1.html#authorization_codes)). Code challenge.```

to be REQUIRED unless ....  The code_challenge as described in XXX