I am looking to extend our ID server instance to support mobile apps and wish to use Authorization Code Flow with PKCE. As this is a public client I do not wish to store the secret on the app but it appears ID3 requires a secret. Can anyone confirm this as if it is the case I may need to look at upgrading ID3 to ID4 which is going to be an issue with my timelines?
Kind Regards, Lastbuilders
Specifying a secret for a public client is not an issue with code + PKCE flow. In that case it's just a rudiment, hardly adding more security. That's why they introduced an option to switch it totally off.