Authorization Code Flow without Client Authentication


I would like to implement OAuth2 using authorization code flow in my webapp. Could you tell me how to implement this flow without client authentication?

$ curl --insecure -X POST \
    --url "" \
    --data "response_type=code" \
    --data "provision_key=JAnkP5RWqIwLEP4j66NLijmtmGPlqpMP" \
    --data "authenticated_userid=test" \
    --data "client_id=dns8Bn88T5XUivEYUZyxim9OFQqKIbDA"

$ curl --insecure -X POST \
    --url "" \
    --data "grant_type=authorization_code" \
    --data "redirect_uri=http://localhost" \
    --data "code=bgiuB3YNm94RiH886Nz7lA9fYm2bdyg5" \
    --data "client_id=dns8Bn88T5XUivEYUZyxim9OFQqKIbDA"
{"error_description":"Invalid client authentication","error":"invalid_client"}

According to rfc6749 - 4.1.3, I want to do like above since client_secret is NOT REQUIRED when my oauth2 application is a public client.