diff --git a/cli/server.go b/cli/server.go
index 41a957815fcd7..548f350bae9bc 100644
--- a/cli/server.go
+++ b/cli/server.go
@@ -694,7 +694,12 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 				}
 			}
 
-			if vals.OIDC.ClientKeyFile != "" || vals.OIDC.ClientSecret != "" {
+			// As OIDC clients can be confidential or public,
+			// we should only check for a client id being set.
+			// The underlying library handles the case of no
+			// client secrets correctly. For more details on
+			// client types: https://oauth.net/2/client-types/
+			if vals.OIDC.ClientID != "" {
 				if vals.OIDC.IgnoreEmailVerified {
 					logger.Warn(ctx, "coder will not check email_verified for OIDC logins")
 				}
diff --git a/scripts/dev-oidc.sh b/scripts/dev-oidc.sh
index 6a6d6e08ac705..cf5a7e3c6964c 100755
--- a/scripts/dev-oidc.sh
+++ b/scripts/dev-oidc.sh
@@ -49,6 +49,17 @@ cat <<EOF >/tmp/example-realm.json
       "baseUrl": "/coder",
       "redirectUris": ["*"],
       "secret": "coder"
+    },
+    {
+      "clientId": "coder-public",
+      "publicClient": true,
+      "directAccessGrantsEnabled": true,
+      "enabled": true,
+      "fullScopeAllowed": true,
+      "baseUrl": "/coder",
+      "redirectUris": [
+        "*"
+      ]
     }
   ]
 }
@@ -79,6 +90,9 @@ hostname=$(hostname -f)
 export CODER_OIDC_ISSUER_URL="http://${hostname}:9080/realms/coder"
 export CODER_OIDC_CLIENT_ID=coder
 export CODER_OIDC_CLIENT_SECRET=coder
+# Comment out the two lines above, and comment in the line below,
+# to configure OIDC auth using a public client.
+# export CODER_OIDC_CLIENT_ID=coder-public
 export CODER_DEV_ACCESS_URL="http://${hostname}:8080"
 
 exec "${SCRIPT_DIR}/develop.sh" "$@"