OAuth 2.1 compliance regarding PKCE and client secret

[stebenz]

Is your feature request related to a problem? Please describe. The current definition of OAuth 2.1 expects a client secret when a confidential app is used in combination with PKCE.

Describe the solution you'd like Check of client secret if PKCE flow is used when app is typed as confidential.

Describe alternatives you've considered Split of compliance with a different version, to bet at least different from the new version of OAuth.

Additional context

https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-09#authorization_codes