Use authcode + PKCE for spring mvc/thymeleaf client as well

[andifalk]

As of spring security 5.2. PKCE is also supported.
Using PKCE is even recommended for confidential web applications (see https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13#section-3.1.1):

Note: although PKCE so far was recommended as a mechanism to protect
native apps, this advice applies to all kinds of OAuth clients,
including web applications.

See spring security reference doc section for details on how to change the configuration of the existing Spring MVC client lab.