When I try to log in using the Authorization Code Flow with PKCE, I expect to be able to disable the client_secret, since we are using a SPA and do not want to expose it in the frontend. However, even with PKCE enabled, a client_secret still seems to be required, as shown in the following error message: "Client secret is required for authorization_code, but no client secret is configured."
Is it possible to configure the Indicium authorization server to not require a client_secret for public clients using PKCE?
Best answer by Vincent Doppenberg
View original