When deploying an SPA, we want to use PKCE with the authorization code grant. However, we want our users to be able to utilise a refresh token for the duration of their sessions. Currently the only way that I can get this to work is by turning "Client Authentication" to "Not required" - instead of our current "Not required when using PKCE" setup.
What is the recommended practice for setting up an SPA with the authorization_code and refresh_token grants? I believe that what we are doing is to spec (https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokens). Would the recommendation here be to disable Client Authentication entirely? Or does that have its own risks?