Add documentation for public client PKCE support

docs/manual/src/docs/asciidoc/_includes/reactive/oauth2/login.adoc

@@ -154,3 +154,13 @@ SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
 	return http.build();
 }
 ----
+
+[[webflux-oauth2-login-public-client]]
+== Login With Public Client
+
+If your client is running on a untrusted host where you are unable to keep a secret (e.g. a desktop client, an insecure server environment, etc.) and your identity provider supports it, you can use Spring Security's PKCE support for public clients. https://tools.ietf.org/html/rfc7636[PKCE] utilizes the Authorization Code Flow to obtain access tokens without the need for a client secret. Spring Security will use PKCE automatically when the following conditions are true in your `ClientRegistration`:
+
+. `clientSecret` is empty
+. `clientAuthenticationMethod` is set to `ClientAuthenticationMethod.NONE`
+
+For default Spring Boot configuration like _<<webflux-oauth2-login-openid-provider-configuration,previously shown>>_, this is as simple as omitting `client-secret` and setting `client-authentication-method: none` in your client registration. For explicit configuration, ensure the above two conditions are met when creating your `ClientRegistration`.

docs/manual/src/docs/asciidoc/_includes/servlet/additional-topics/oauth2.adoc

@@ -221,6 +221,17 @@ return CommonOAuth2Provider.GOOGLE.getBuilder("google")
 ====
 
 
+[[oauth2login-advanced-public-client]]
+=== Login With Public Client
+
+If your client is running on a untrusted host where you are unable to keep a secret (e.g. a desktop client, an insecure server environment, etc.) and your identity provider supports it, you can use Spring Security's PKCE support for public clients. https://tools.ietf.org/html/rfc7636[PKCE] utilizes the Authorization Code Flow to obtain access tokens without the need for a client secret. Spring Security will use PKCE automatically when the following conditions are true in your `ClientRegistration`:
+
+. `clientSecret` is empty
+. `clientAuthenticationMethod` is set to `ClientAuthenticationMethod.NONE`
+
+For default Spring Boot configuration, this is as simple as omitting `client-secret` and setting `client-authentication-method: none` in your client registration. For explicit configuration, ensure the above two conditions are met when creating your `ClientRegistration`.
+
+
 [[oauth2login-advanced-userinfo-endpoint]]
 === UserInfo Endpoint
 

docs/manual/src/docs/asciidoc/_includes/servlet/preface/oauth2-client.adoc

@@ -90,7 +90,7 @@ public final class ClientRegistration {
 <2> `clientId`: The client identifier.
 <3> `clientSecret`: The client secret.
 <4> `clientAuthenticationMethod`: The method used to authenticate the Client with the Provider.
-The supported values are *basic* and *post*.
+The supported values are *basic*, *none* and *post*.
 <5> `authorizationGrantType`: The OAuth 2.0 Authorization Framework defines four https://tools.ietf.org/html/rfc6749#section-1.3[Authorization Grant] types.
  The supported values are authorization_code, implicit, and client_credentials.
 <6> `redirectUriTemplate`: The client's registered redirect URI that the _Authorization Server_ redirects the end-user's user-agent

docs/manual/src/docs/asciidoc/_includes/servlet/preface/oauth2-login.adoc

@@ -402,6 +402,7 @@ The following additional resources describe advanced configuration options:
 
 * <<oauth2login-advanced-login-page, OAuth 2.0 Login Page>>
 * <<oauth2login-advanced-redirection-endpoint, Redirection Endpoint>>
+* <<oauth2login-advanced-public-client, Public Client>>
 * <<oauth2login-advanced-userinfo-endpoint, UserInfo Endpoint:>>
 ** <<oauth2login-advanced-map-authorities, Mapping User Authorities>>
 ** <<oauth2login-advanced-custom-user, Configuring a Custom OAuth2User>>