14Şub
OIDC for mobile app with PKCE and client_secret
I came across this article. In there the author suggests to use PKCE which is recommended by RFC 8252. But what I am a little bit confused about that the author also uses an application server that has the client_secret.
Are both client_secret and PKCE both adding security?
Or is PKCE just the replacement for the client_secret for public clients?
I would be interested in attack scenarios where the client_secret helps but PKCE does not.