PKCE is integrated in the authorization code grant flow. Use of PKCE will be required by public clients to improve their security, as described above. For confidential clients, where the authorization server can verify their credentials, the use of PKCE is not required, only recommended.

The implicit grant flow is deprecated and omitted from the specification, due to its less secure nature.

The resource owner password credentials grant flow is also deprecated and omitted from the specification, for the same reasons.