Looking for a simple answer to this. SPAs and Clients with a back-end clients can both use Auth Code + PKCE. However, clients with a back-end use secrets (SPAs can’t be trusted to keep one).
The official spec for Auth Code + PKCE says nothing about secrets and if/when they are required, unless I missed it completely. code_verifier is a secret, but its not THE SECRET. Its not a secret generated and saved with Auth0.
So, is requiring a secret completely up to the IdP (Auth0)? The way I understand this, is that Auth0 will set a flag
RequireSecret = true and thats the only thing that makes the server side app more secure. The spec does not require it. Is this true? What am I missing?