browsing the specs of OAuth 2.1 and found that PKCE is now mandatory for Authorization Code Flow (not only Desktops or frontend-only apps!):
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-12
"The authorization code grant is extended with the functionality from PKCE [RFC7636] such that the default method of using the authorization code grant according to this specification requires the addition of the PKCE parameters"
Edited 75d ago