I have a Identityserver and a blazor server app running and I am using the code workflow to get my tokens. I have a secret for my blazor app but just found out, that I can get my token aswell when I omit the secret and set the property RequireClientSecret to false in the configuration for the client in the identity server. I can see, that this is needed for pure javascript applications where you do not want to transfer the secret with the webapp. Does this also apply for the blazor server app? I guess not, but I would like to be sure, that I can not leak my secret like that. Another question would be: If I can ignore the secret, in what case would it be useful to still use it? From my understanding, without the secret I can only prevent that someone is not impersonating as the client, by controlling the redirect uris. E.g. not having localhost as a valid redirect uri on prod. But other than that, what else would a secret give me in a blazor server app? (In case the secret can not be leaked through blazor like that, of course).
A Blazor Server app lives inside the process of an ASP.NET Core app and uses its startup.cs file. Therefore all of its configuration is only known to the server. The thin Javascript client in Blazor Server apps that is responsible for the websockets connection doesn't get hold of it.