diff --git a/pkg/validation/providers.go b/pkg/validation/providers.go
index 4527b841..884e5da9 100644
--- a/pkg/validation/providers.go
+++ b/pkg/validation/providers.go
@@ -68,6 +68,11 @@ func providerRequiresClientSecret(provider options.Provider) bool {
 		return false
 	}
 
+	// PKCE with S256 doesn't require client secret
+	if provider.Type == "oidc" && provider.CodeChallengeMethod == "S256" {
+		return false
+	}
+
 	if provider.Type == "login.gov" {
 		return false
 	}
diff --git a/pkg/validation/providers_test.go b/pkg/validation/providers_test.go
index 065eb305..3618bb15 100644
--- a/pkg/validation/providers_test.go
+++ b/pkg/validation/providers_test.go
@@ -79,5 +79,35 @@ var _ = Describe("Providers", func() {
 			},
 			errStrings: []string{skipButtonAndMultipleProvidersMsg},
 		}),
+		Entry("with oidc provider using S256 PKCE and no client secret", &validateProvidersTableInput{
+			options: &options.Options{
+				Providers: options.Providers{
+					{
+						Type:              "oidc",
+						ID:                "oidc-s256",
+						ClientID:          "client-id",
+						ClientSecret:      "",
+						ClientSecretFile:  "",
+						CodeChallengeMethod: "S256",
+					},
+				},
+			},
+			errStrings: []string{},
+		}),
+		Entry("with oidc provider using S256 PKCE and client secret", &validateProvidersTableInput{
+			options: &options.Options{
+				Providers: options.Providers{
+					{
+						Type:              "oidc",
+						ID:                "oidc-s256",
+						ClientID:          "client-id",
+						ClientSecret:      "mysecret",
+						ClientSecretFile:  "",
+						CodeChallengeMethod: "S256",
+					},
+				},
+			},
+			errStrings: []string{},
+		}),
 	)
 })