The README (and hence doc on elm-packages) is a bit confusing since it says "FOR CONFIDENTIAL CLIENTS" for the code/PKCE grant whereas it is recommended for use by all clients, especially public ones (non-public clients are protected to some extent since they must authenticate to the token endpoint).
It's intended that in future versions, PKCE will be required for the authorization code grant and the implicit and resource owner grants will be dropped from the spec.
The README (and hence doc on elm-packages) is a bit confusing since it says "FOR CONFIDENTIAL CLIENTS" for the code/PKCE grant whereas it is recommended for use by all clients, especially public ones (non-public clients are protected to some extent since they must authenticate to the token endpoint).
It's intended that in future versions, PKCE will be required for the authorization code grant and the implicit and resource owner grants will be dropped from the spec.