OAuth2 public clients cant use client secret and still achieve a secure workflow, why is it used for confidential clients?
In an OAuth2 authorization flow, if I understand correctly the request made to receive a token with PCKE is almost identical between that of a public client and that of a confidential client. The only real difference is that a confidential client will also send along the "client secret" while a public client does not because that would make the secret available to the public.
If a public client does not send the client secret, but can still seemingly obtain a token in a secure fashion, than what is the purpose of sending the client secret in a confidential client situation? I get that it guarantees the client is legit but does that mean by being unable to include it from a public client that there is some loophole in security in this approach and the community is fine with that?
