A small bug in your example client -- the PKCE challenge is not correct.

I discovered this bug while I was testing an authentication service, and I used the example client in this repo as the 3rd party client. The authentication service returned an error to the client indicating that
the code_verifier did not match. When I looked into it, the code does, in fact, except for the encoding padding.

Unsure which was correct, I checked the RFC.

https://www.rfc-editor.org/rfc/rfc7636.txt

Section 3, regarding the Base64url Encoding states the following:

      Base64 encoding using the URL- and filename-safe character set
      defined in Section 5 of [RFC4648], with all trailing '='
      characters omitted (as permitted by Section 3.2 of [RFC4648]) and
      without the inclusion of any line breaks, whitespace, or other
      additional characters.  (See Appendix A for notes on implementing
      base64url encoding without padding.)

The problem is that this function https://github.com/go-oauth2/oauth2/blob/master/example/client/client.go#L138 does not trim the pesky '=' symbols off the end, and we have to specifically turn the padding off to be compliant.

And in case you are wondering how it is that the server package in this repo works. This server trims the padding for us so it would accept the challenge with or without the padding.

https://github.com/go-oauth2/oauth2/blob/master/const.go#L63

...
	case CodeChallengeS256:
		s256 := sha256.Sum256([]byte(ver))
		// trim padding
		a := strings.TrimRight(base64.URLEncoding.EncodeToString(s256[:]), "=")
		b := strings.TrimRight(cc, "=")
		return a == b

Apparently, the authentication server I'm testing with is a bit more strict.