27Nis
Why do OAuth2 PKCE authorization codes have client_id?
If I'm understanding OAuth2 PKCE right, it is to be used in cases where a client cannot be trusted to hold onto a client secret. I also understand (reading RFC 6749) that a client id is not a secret.
This means that a PKCE authorization token request process starts from an unauthenticated computer and an unauthenticated client. So why is client_id a mandatory field? It could easily be forged and thus no authorization can be done using it.
