OAuth defines two client types, confidential and public. https://datatracker.ietf.org/doc/html/rfc6749#section-2.1
> The client type designation is based on the authorization server's definition > of secure authentication and its acceptable exposure levels of client > credentials. The authorization server SHOULD NOT make assumptions about the > client type. Yet I've come across multiple authorization servers that don't record the client type during registration [1][2]. This is an antipattern. Such servers typically assume all clients to be confidential, neglecting security measures appropriate for public clients. Is this authorization server antipattern worth discussing in OAuth 2.0 Security Best Current Practice https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics ? The instruction is implicit but easy to miss in RFC 6749 because the text puts the onus on the client developer rather than the authorization server https://datatracker.ietf.org/doc/html/rfc6749#section-2 > When registering a client, the client developer SHALL: specify the client type Thankfully draft OAuth 2.1 is strong and unambiguous https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-08.html#name-registration-of-native-app- > Authorization servers MUST record the client type in the client registration > details in order to identify and process requests accordingly [1] screenshots of client registration with various authorization servers https://imgur.com/a/GADt0MO _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
