stacklok · jhrozek · Nov 29, 2025 · Nov 28, 2025
diff --git a/pkg/vmcp/config/validator.go b/pkg/vmcp/config/validator.go
@@ -102,10 +102,10 @@ func (v *DefaultValidator) validateIncomingAuth(auth *IncomingAuthConfig) error
 			return fmt.Errorf("incoming_auth.oidc.audience is required")
 		}
 
-		// Client secret env var should be set (references a Kubernetes Secret mounted as env var)
-		if auth.OIDC.ClientSecretEnv == "" {
-			return fmt.Errorf("incoming_auth.oidc.client_secret_env is required")
-		}
+		// ClientSecretEnv is optional - some OIDC flows don't require client secrets:
+		// - PKCE flows (public clients)
+		// - Token validation without introspection
+		// - Kubernetes service account token validation
 	}
 
 	// Validate authorization configuration

diff --git a/pkg/vmcp/config/validator_test.go b/pkg/vmcp/config/validator_test.go
@@ -127,6 +127,18 @@ func TestValidator_ValidateIncomingAuth(t *testing.T) {
 			},
 			wantErr: false,
 		},
+		{
+			name: "valid OIDC auth without client secret (public client)",
+			auth: &IncomingAuthConfig{
+				Type: "oidc",
+				OIDC: &OIDCConfig{
+					Issuer:   "https://example.com",
+					ClientID: "public-client",
+					Audience: "vmcp",
+				},
+			},
+			wantErr: false,
+		},
 		{
 			name: "invalid auth type",
 			auth: &IncomingAuthConfig{