The authorization code flow doesn't require a client secret in case of a public client. Instead, the client needs to use the PKCE extension and send a code challenge / code verifier.
That is why we don't compare the client secret when the client id and code verifier are set in the query parameters.
The authorization code flow doesn't require a client secret in case of a public client. Instead, the client needs to use the PKCE extension and send a code challenge / code verifier. That is why we don't compare the client secret when the client id and code verifier are set in the query parameters.
/cc @dschmidt