Ueberauth purpose? Google Sign In?

Yeah, that’s about right, they are both access tokens, but the one fetched by the client is usually short lived.

It’s handled in the JS SDK, so the code challenge is generated by the client and the only information needed is the client id.

No, but it make sense that short lived access tokens fetched by the client can be used in the Assent callback flow to generate long lived access token and fetch userinfo. It’s something I got in the pipeline (in this case Facebook), but haven’t had time to deal with yet: Allow passing access token to callback · Issue #34 · pow-auth/assent · GitHub

Many providers have this PKCE option or similar to generate tokens on clients, it is a necessity with e.g. SPA that doesn’t rely on a backend. As you can see in the above issue, Facebook has a client side SDK as well (they also have a JS version if I recall correctly).