diff --git a/server/handlers.go b/server/handlers.go
index 4b5dddf9f3..f368777454 100644
--- a/server/handlers.go
+++ b/server/handlers.go
@@ -759,6 +759,10 @@ func (s *Server) handleToken(w http.ResponseWriter, r *http.Request) {
 		}
 		return
 	}
+	if clientSecret == "" && client.Secret != "" && r.PostFormValue("code_verifier") != "" {
+		s.tokenErrHelper(w, errInvalidClient, "Missing client credentials. If you want to use PKCE without client_secret, create a public dex client.", http.StatusUnauthorized)
+		return
+	}
 	if client.Secret != clientSecret {
 		s.tokenErrHelper(w, errInvalidClient, "Invalid client credentials.", http.StatusUnauthorized)
 		return