(no title)

We start using the language "public client" and "private client", where a public client is an OAuth client like a mobile app or SPA that does not have a client secret, but has an access token delegated to it(+optional refresh token). Public clients must use implicit+PKCE.

Private clients are what we would have previously thought of as an Authorization code grant client where a server process has an access token to take actions on behalf of a user.

Depending on the OAuth use case, maintainers of the system may need to keep track of what clients are public or private, and limit their entitlements accordingly.

Public clients have the obvious issue that they're on an end-user device and thus the tokens may be stolen, proposed standards like JWT DPOP [2] and token binding [3] aim to address this.

[1] https://oauth.net/2.1/

[2] https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/

[3] https://tools.ietf.org/html/rfc8471 . Though I should say token binding does seem like it will never go anywhere.

This space is insane and hard to keep up with.