I'm trying to use the OAuth2 features of CAS 6.1.4, and specifically the Proof Key Code Exchange (PKCE) variant of the authorization_code grant type: I set everything up and authorization_code works both in its basic form and PKCE variant.
However, it seems like a client_secret request parameter must be provided even when using the PKCE variant – I haven't found a way to avoid that. That seems counterintuitive, as PKCE was introduced for public clients that cannot hold a client secret safely. The RCF 7636 specs and the documentation on the Apereo site are silent about whether the authorization_code request should be authenticated by the client secret.
Please tell me if I'm missing out on something.
Answering my own question here, just in case someone stumbles upon the question.
As it turns out, you can define public clients in CAS by simply omitting the clientSecret field of the corresponding CAS service. (See for here for a full description of the OAuth2 client definition, as of CAS 6.1.x.).
A public client does not require the client_secret request parameter and one can exercise the authorization_code grant type without providing that parameter, PKCE variant or not.
Not that this is written anywhere, I found out by good old trial and error.