* Add a `pkce` option to the oauth2 strategy that defaults
  to `false`.
* When the option is true, the client will authorize with the
  provider using PKCE (proof key for code exchange) [1]. This
  enhances the security footprint of the interaction and is now
  recommended by the IETF for all OAuth2 code grant interactions.
* At a high level, PKCE works as follows:
  1. Generate a new random code verifier string value with a
     minimum length of 43 characters and a maximum length of
     128 characters.
  2. Take the SHA256 hash value of the code verifier string and
     perform a URL-safe Base64 encode of the result as defined
     in [2].
  3. Pass `code_challenge={Base64(SHA256(code_verifier)}`
     and `code_challenge_method=S256` query parameters with
     the client OAuth2 authorize request.
  4. In the callback_phase, pass the `code_verifier` in plaintext
     to the provider as a query parameter to the OAuth2 token
     endpoint. This provides strong guarantees to the OAuth provider
     that the client is the same entity that requested authorization.

[1]: https://tools.ietf.org/html/rfc7636
[2]: https://tools.ietf.org/html/rfc7636#appendix-A

* Resolve all current rubocop violations for rubocop
  v0.86.0.

__review__

* Remove Ruby 2.3 frozen string magic comments as requested because
  it is out of scope for this feature.
* Add an exception to `rubocop.yml` so that the missing
  magic comment is not a CI failure.
* Add exceptions for `Lint/MissingSuper` and
  `Gemspec/REquiredRubyVersion` to minimize churn on the feature.