The PKCE spec defines two methods, S256 and plain, the former is used in this example and is the only one supported by Auth0 since the latter is discouraged.
Why did they design it so plain was even a valid value to use?
If you use plain, then if the auth code is stolen, the code_verifier can also be stolen since it's the same value as the code_challenge.
I don't see how this adds any security at all.
The specification says:
If the client is capable of using "S256", it MUST use "S256", as
"S256" is Mandatory To Implement (MTI) on the server. Clients are
permitted to use "plain" only if they cannot support "S256" for some
technical reason and know via out-of-band configuration that the
server supports "plain".The plain transformation is for compatibility with existing
deployments and for constrained environments that can't use the S256
transformation.
So I guess its only in the spec for backwards compatibility reasons.