google_pkce_client.rb

require 'rack/oauth2'

Rack::OAuth2.debug!

client = Rack::OAuth2::Client.new(
  identifier: 'YOUR_CLIENT_ID',
  secret: 'YOUR_CLIENT_SECRET',
  redirect_uri: 'YOUR_REDIRECT_URI',
  authorization_endpoint: 'https://accounts.google.com/o/oauth2/v2/auth',
  token_endpoint: 'https://oauth2.googleapis.com/token'
)
code_verifier = SecureRandom.hex(32)
code_challenge = Base64.urlsafe_encode64(OpenSSL::Digest::SHA256.digest(code_verifier), padding: false)

authorization_url = client.authorization_uri(
  scope: 'email',
  # code_challenge: code_challenge,
  # code_challenge_method: :S256
)
puts authorization_url
`open "#{authorization_url}"`

print 'code: ' and STDOUT.flush
code = gets.chop

client.authorization_code = code
client.access_token!(
  code_verifier: code_verifier
)

# NOTE: if code_challange isn't sent at AuthZ Req, you should get an error as below.
#
# Status: 400 Bad Request
#
# {
#   "error": "invalid_grant",
#   "error_description": "code_verifier or verifier is not needed."
# }