Having adapted an example OpenID Connect server (built in Rails) to a production system, I need to add PKCE support so that it could be used securely to allow mobile systems to log in. OAuth2 (and therefore OpenID-Connect) isn't considered as secure on mobile devices because rogue applications on the mobile device can hijack the authorization code. Here I'll try to describe the thought process that goes into not the implementation, but the interpretation of the spec into a set of tests that will allow us to be reasonably confident that mobile clients will be able to connect. (Pleasingly, the first time the mobile integrators tried to connect with PKCE it worked perfectly, both with errors and successful paths). My implementation is in Ruby, of course, and my tests will be in RSpec with expectations, so some of the language might not be generic but the concepts should map to other languages / frameworks. I've marked the actual tests I needed in yellow with the word TEST:...