App: Android App (Allow some anonymous access, some authenticated access)
Auth: IdentityServer4
API: All access must be authenticated as a minimum by the client, but some also by user claims.
I have a public client (an Android App), currently using Authorisation_Code with PKCE when authenticating A USER using IdentityServer4.
My app has pages allowing anonymous users to navigate. I want my API however to ensure my public client Android app is making the calls, so I want to authenticate my client app for the API.
As I'm using Authorise_Code with PKCE when authenticating the user, I do not have a client secret for my app. So can I authenticate my client using client credentials (just my client ID) and the PKCE?
If not, how can I authenticate my client without a user being logged on having no client_secret?
No. PKCE is designed to extend the Authorization Code grant. It doesn't make sense in the context of Client Credentials.
What you're trying to do ultimately relies on the client keeping a secret, which is not feasible.
If your concern is bots, anything simple, like a key in a header that your app holds but isn't too concerned about a human hacker discovering, will keep most, probably all, out. The hacker will still get in, but the mitigation for that should be to instead require (user) authentication for calls that expose non-public data.