3

This is a more direct "yes" or "no" question to the following

PKCE vs Client Secret

What is the purpose of the OAuth2 client secret?

Does PKCE replace state in the Authorization Code OAuth flow?

What is PKCE actually protecting?

I am assuming the answer is "yes" based on the above so only the client_id is needed and the secret generation is managed by the client through their code verifiers. Though if that were the case why would Google still use client secrets for their OAuth 2.0 Client IDs (unless they're equivalent of secret-less client IDs are the API Keys which I haven't verified to be their PKCE)

Archimedes Trajano
  • 334
  • 4
  • 12

1 Answers1

0

For confidential clients (i.e. clients that can keep client credentials safe), client secrets still have value even when using PKCE. They prevent other clients from impersonating your client.

For public clients (clients that are unable to use registered client secrets) using client secrets has no advantage.

Matthijs Melissen
  • 123
  • 4