The current proposed stable requirements state the following:
Requirements for OpenID Providers
OpenID Providers:
...
- MUST support public clients as defined in [RFC6749];
If an enterprise is not willing to support public clients (most commonly this is just native applications), what is the enterprise IDP supposed to do from a conformance perspective? Allow them for testing and then turn off the capability? Require all "public" clients to use DCR to move to being a "confidential" client?
How many SaaS RPs are only public clients? Is that really a "good thing" if they are a service and can protect a secret?
If the key goal is to support native applications (most commonly mobin apps) that have to pre-register (currently a requirement) and also register the callback URL (also a current requirement) and make the registered callback URL a "claimed URL" as in an iOS universal link or an Android App Link (not currently a requirement) then I think we should not point to RFC 6749 but rather RFC 8252 OAuth 2.0 for Native Apps. I'm not sure we should support web applications as public clients.
The current proposed stable requirements state the following:
If an enterprise is not willing to support public clients (most commonly this is just native applications), what is the enterprise IDP supposed to do from a conformance perspective? Allow them for testing and then turn off the capability? Require all "public" clients to use DCR to move to being a "confidential" client?
How many SaaS RPs are only public clients? Is that really a "good thing" if they are a service and can protect a secret?
If the key goal is to support native applications (most commonly mobin apps) that have to pre-register (currently a requirement) and also register the callback URL (also a current requirement) and make the registered callback URL a "claimed URL" as in an iOS universal link or an Android App Link (not currently a requirement) then I think we should not point to RFC 6749 but rather RFC 8252 OAuth 2.0 for Native Apps. I'm not sure we should support web applications as public clients.