Add a citation of IETF RFC 7636

The RFC is authoritative, clearly explains what it does, and
also clearly explains *why* it's used. Let's cite it.

Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>

Author: david-a-wheeler

docs/lfd121.md

@@ -2153,7 +2153,7 @@ Sometimes you want to separate the program that does authentication, and the pro
 
 **OAuth** is an authorization framework.  Its purpose is to authorize a third-party application to access a user's protected resources without the user sharing their actual credentials (like a password) with that application.  Instead, OAuth enables an application to obtain limited access to an HTTP service, either on behalf of a resource owner, or by allowing the third-party application to obtain access on its own behalf. OAuth enables this by using an **Access Token**.  This token can be limited in scope (what it can do) and duration (how long it lasts).
 
-While OAuth is powerful, it must be implemented correctly. In particular, security best practices today require using Proof Key for Code Exchange (**PKCE**) in OAuth to help prevent authorization code interception and code substitution attacks, especially in public clients. PKCE checks to ensure that the entity requesting the authorization code (used to get the access token) is the exact same entity exchanging it.
+While OAuth is powerful, it must be implemented correctly. In particular, security best practices today require using Proof Key for Code Exchange (**PKCE**) in OAuth to help prevent authorization code interception and code substitution attacks, especially in public clients. PKCE checks to ensure that the entity requesting the authorization code (used to get the access token) is the exact same entity exchanging it ([IETF RFC 7636](https://datatracker.ietf.org/doc/html/rfc7636)).
 
 OAuth typically involves four distinct roles and these actions: