OAuth 2.0 and PKCE

The current “OAuth 2.0 Security Best Current Practice” draft version recommends the use of PKCE (Proof Key for Code Exchange by OAuth Public Client) to protect the authorization code grant flow, for all types of applications and not only for native applications. See this post from CCISEL engineer Pedro Félix, where he describes the goals and mechanics of PKCE.