When using PKCE with OpenID Connect, can a client use client_secret_basic and client_secret_post as the authentication method or must None be selected?
What should be an acceptable practice here, combine the client secret with the pkce flow or not?
client secret shouldn't be used if there's potential for it to be exposed or it can no longer be trusted for client authentication, so if this is a public client, then best practice is to not use it.
PKCE and client secret are NOT mutually exclusive though.
It's purpose is subtly different than client authentication which is to protect from allowing anyone in possession of the authorization code from trading it for an access token. Rather, it has to be the same client sent the authorization request.
Client authentication does also have this effect, if done securely. But, it's an indirect outcome of the fact that you've identified the client.