@yves So I found this that may be of interest to you.
For the Authorization Code Grant, if the clientAuthenticationPolicy value is Required, the client secret is required. If the value is NotRequired, the client secret is not required. If the value is NotRequiredWhenUsingPKCE and PKCE is used, the client secret is not required. If PKCE is not used, the client secret is required.
What is your setting there?