Aaron Parecki
This would be a good summary of RFC6749, but doesn’t reflect the current best practice. Implicit serves no purpose anymore and is being removed, Password is also being removed because it’s dangerous and inflexible, and the authorization code flow is being extended to include PKCE by default. Web apps, mobile apps, and single-page apps should all use authorization code + PKCE now. Take a look at https://oauth.net/2.1/ and https://oauth.net/2/oauth-best-practice/ for some more links and background.