Hey Philippe, thanks for the reply. It led me to the Auth0 doco that I had seen, but not quite understood how it fits into the picture.
Taking a quick step back - we have used AC in our .NET MVC apps, using a pre-defined client secret (stored server side and with the auth provider). I believe this is the gold standard for federated authentication.
It seems that for AC + PKCE, the Auth0 client SDK JavaScript generates a code challenge secret, which acts pretty much like the client secret on our server-side apps.
Is this right? If so, they are closer than I thought. Is it fair to say that the difference in security is just that with PKCE there is the theoretical chance of someone generating a valid code challenge? That in practice, AC and AC+PKSE are as good as each other?
Thanks for reading.
Mark