The issue

Certain providers might make PKCE optional simply by not enabling it if code_verifier is not present in the initial request. Such a provider is susceptible to a PKCE downgrade attack.

The solution

The solution in this case would be to also use the state parameter in the OAuth2ProviderWithPKCE clients. If state is present then a PKCE downgrade attack is not possible as the flow is stopped and disregarded upon the attacker sending a bad authorization code to the client callback.

Whilst I have not looked at all the PKCE providers yet the interface makes it look like it should be relatively simple to add an optional state variable to the OAuth2ProviderWithPKCE interface for the createAuthorizationURL function in a way that would allow state to be used without breaking existing implementations not using/expecting it.

Unfortunately due to the existance of an options object on the existing implementations (not present on the interface) it does not seem possible (at least easily) to add this in a non-breaking way.