Currently Portal for ArcGIS and ArcGIS Online support the "implicite flow" for browser based logins:
The implicit flow is some kind of "deprecated" and I found following recommandation:
See https://oauth.net/2/grant-types/implicit/ .
Can I expect that this more secure flow will be supported by ArcGIS Online and Portal for ArcGIS?
ArcGIS Online added support for the Authorization Code flow with PKCE in the March 2020 update. ArcGIS Enterprise 10.8.1 will have the same support when released later this year.