Option to omit client secret during authorization allowing for use of this library in a distributed app

[magicalpig]

I'm far from an expert on the matters of OAuth and Google's APIs, but here's what I have gathered:

• in a distributed app, such as one that would run on a user's desktop, the app's client secret for the Google API should not be included in the distribution because then it ceases to be a secret.
• the recommendation for such distributed app is to use Authorization Code Flow with Proof Key for Code Exchange (PKCE). This flow does not require a client secret to be included in any authorization payloads
• Google's dotnet library for authorization supports a PKCE flow. In fact, its AuthorizeAsync method has a "usePkce" argument that defaults to true. This seems to have been introduced in June 2023.

There's one caveat though: it seems when you request credentials for your app from the Google Cloud Console and you specify the app as a "Desktop app", Google still wants to see a client secret in the authorization request. However, specifying the app as "Universal Windows Platform (UWP)" -- even if the app has nothing to do with UWP -- opens the door for your app to omit the client secret and only send the client id. For example, this code successful authorizes a user

UserCredential credential = await GoogleWebAuthorizationBroker.AuthorizeAsync(
  new ClientSecrets { ClientId = _settings.GoogleAPIClientId },
  [ "https://www.googleapis.com/auth/photoslibrary.readonly" ],
  "local_user_X",
  CancellationToken.None
);

I believe this flow where the client secret is also now the recommendation for single-page apps.