I'm trying to achieve an Authorization Code with PKCE flow and public client for a Single Page web App (that can't keep a client_secret safe). I am using the latest release 2.4.0 but having the same issue described above.

• I register a new app with Client type = Public Grant type = Authorization code and Algorithm = RSA 256 (because I'm using OIDC) - screenshot below
• When I include the Client Secret in Postman, I get both the code and token correctly ✅
• When I omit the Client Secret, I get the code returned OK but the "POST /o/token/ returns 401 and gives me "Error: invalid_client" ❌
• I've tried with both PKCE_REQUIRED true and false

@n2ygk do you (or anyone else) have any ideas as to what I might be doing wrong?

Originally posted by @s1monj in #1092 (comment)

@s1monj the testapp2 screenshot shows a client secret. Are you sure it's blank?

@n2ygk ahhhhh can't believe I didn't try that! That was all I needed thanks! I guess because the Client Secret is auto-populated by the UI, I was in the mindset that every app has a client secret, and it's just up to the "Client type" to determine if the client must send it or not. I never thought of saving a blank secret, and now it makes total sense. Really appreciate your help with this!

Phew. Glad that's all it was.