Describe how OAuth 2.0 flows work. What is the difference between the implicit flow and the authorization code flow?