soxofaan
commented
3 years ago Could someone verify that my understanding of the authorization_code flow is correct and doesn't require a client_secret?
from https://www.rfc-editor.org/rfc/rfc6749.html#section-2.3:
The authorization server MAY accept any form of client authentication meeting its security requirements.
if "any form of client auth" also includes "no client auth", then I guess authorization_code without client_secret/PKCE is indeed allowed
Fixes/Implements #410.
Could someone verify that my understanding of the authorization_code flow is correct and doesn't require a client_secret?