You are correct that client authentication is not required for public
clients (which doesn't preclude the use of refresh_tokens) but from my
perspective it weakens the security because anyone with the
refresh_token is able to get new access_tokens without any additional proof.
Now if the SPA p
The IESG has received a request from the Web Authorization Protocol WG
(oauth) to consider the following document: - 'OAuth 2.0 Mutual TLS Client
Authentication and Certificate-Bound
Access Tokens'
as Proposed Standard
The IESG plans to make a decision in the next few weeks, and solicits f
