Follow-up from "Fix PKCE validation blocking MCP token refresh"

The following discussion from !209820 (merged) should be addressed:

• @daniele-gitlab started a discussion: (+5 comments)

      # PKCE validation only applies to authorization_code grants per RFC 7636 Section 4.5.
      return unless params[:grant_type] == 'authorization_code' # rubocop:disable Rails/StrongParams -- Only accessing a single named param

  suggestion (blocking): I think a positive condition would be cleaner. This works because the PKCE validation is made only applies to authorization_code grants per RFC 7636, making it explicit and future-proof for any additional grant types.

  ---

  This got me in confusion as our documentation currently states:

  To retrieve a new access_token, use the refresh_token parameter. Refresh tokens may be used even after the access_token itself expires. This request:

  Invalidates the existing access_token and refresh_token. Sends new tokens in the response.

    parameters = 'client_id=APP_ID&refresh_token=REFRESH_TOKEN&grant_type=refresh_token&redirect_uri=REDIRECT_URI&code_verifier=CODE_VERIFIER'
    RestClient.post 'https://gitlab.example.com/oauth/token', parameters

  Where code_verifier is passed in the request. However, refresh token grants (RFC 6749 Section 6) do not use code_verifier.

  This doesn't seem to be addressed in our codebase or Doorkeeper gem, so looks like the documentation have an error. Please allow me to check internally and get an additional pair of eyes on this 🙏