While not widely deployed, the OAuth2 solution to a deployment of
"public clients" that need to be able to transition to "confidential
clients" so that client authentication makes sense, is to use Dynamic
Client Registration (RFC 7591).
Dynamic Client Registration allows the public client to
Dear,
I notice that many API Gateway providers are requiring the authentication of
the client, even for public client types.
e.g.
https://docs.apigee.com/api-platform/security/oauth/implementing-password-gr
ant-type