Testing PKCE / accepting unknown parameters

We should add a FAPI-RW (and an OIDCC?) test that does the flow using valid PKCE.

FAPI-RW does not require servers to support PKCE, but the server must accept this even if it doesn't support PKCE - the OAuth2 RFCs require servers to accept unknown parameters at the authorization & token endpoints.

Clients may well use PKCE regardless, and it is expected to succeed.

We could probably also send some completely unknown parameters.