I`d like to use redirect_uri as a dynamic parameter in Code Grant but I know that the redirect_uri must be static for security reasons. If I implement PKCE flow and leave validating of the client_secret parameter, will using dynamic redirect_uri be securer then? It seems to me that I will add a new step of authentication (using PKCE).
Thanks!
Not really
PKCE was originally designed to protect the auth code flow from CSRF and auth code injection attacks. PKCE RFC-7636 In the PKCE RFC it strongly suggests following the OAuth 2.0 Security recommendations. RFC-6819 section 5.2.3.3 states the reason for a static redirect_uri is to prevent:
Dynamic redirect uri's open a potential vulnerability to a client providing the code_challenge as well as the auth token to a malicious actor.
*.example_domain.com
Some websites such as Google give users the ability to create their own sites as subdomains. A malicious actor can take advantage of this. It may not be simple or easy, but it does expose a vulnerability.
subdomain.*
This is even worse. Any site with a subdomain that matches would be valid.
In either of the above scenarios PKCE does nothing to prevent impersonation, which could allow an attacker to gain an access token. It is an excellent tool in preventing exploitation in an environment where the token endpoint is trusted.
Your question was tagged with Openid-Connect. OIDC requires that a redirect_uri be pre-registered with an OpenID Provider Openid-connect-core. It is possible for you to create a very long whitelist of redirect uris to use.