Ambigious text around whether `code_challenge` is required

[SECtim]

The following text snippets seem like a code_challenge is always required in the authorization request (for authZ code flows).

Description of the authZ code flow figure: https://github.com/oauth-wg/oauth-v2-1/blob/f79f58841f717b0e6050da663c4a858bc100fda1/draft-ietf-oauth-v2-1.md?plain=1#L1468-L1470

https://github.com/oauth-wg/oauth-v2-1/blob/f79f58841f717b0e6050da663c4a858bc100fda1/draft-ietf-oauth-v2-1.md?plain=1#L1485-L1487

https://github.com/oauth-wg/oauth-v2-1/blob/f79f58841f717b0e6050da663c4a858bc100fda1/draft-ietf-oauth-v2-1.md?plain=1#L1493-L1494

Section 4.3.1: https://github.com/oauth-wg/oauth-v2-1/blob/f79f58841f717b0e6050da663c4a858bc100fda1/draft-ietf-oauth-v2-1.md?plain=1#L1863-L1865

Whereas various other places, most prominently Section 7.5.2, state that code_challenge is (only) required unless some conditions are met:

https://github.com/oauth-wg/oauth-v2-1/blob/f79f58841f717b0e6050da663c4a858bc100fda1/draft-ietf-oauth-v2-1.md?plain=1#L2743-L2750

[aaronpk]

This specific carve-out for the nonce protection is really an edge case, which could probably be made even more explicit. It is not meant to be the common case, which is why the narrative text describes the use of code_challenge. I could borrow some more language from the security BCP that talks about the specific conditions in which it's okay to use the nonce from here if that would make it more clear: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-4.5.3.2

[SECtim]

In that case, my take would be to be very explicit in Section 7.5.2 about this being an edge case. And maybe add some sentence saying ASs are still recommended to require code_challenge and code_verifier even if these conditions are met.