I am implementing a .net core 6 app and I’m using OKTA OAuth 2.0 PKCE with Okta ASP.NET middleware nuget package.
Initially I have configured a OKTA application and used the client secret in my .net core 6 app configuration with no issues. However, now my team is asking me to achieve the same integration without using client secret as in their opinion it can be achieved without. Are you aware of a way I can achieve this? From looking at your package source I see client secret is mandatory.
Another question: Given my .net core 6 app is hosted in a server (not SPA), am I right in saying it’s completely secure to store the client secret in my settings as it’s never surfaced in any front-end?