Investigate on ways to protect the generated code verifier from interception
Is there any realistic scenario where this could happen ?
If not the report section needs to be rewritten. The PKCE would only be a way to use Authorization code grant without client secret but doesn't bring more security.