OpenID Connect public clients are defined as:
“Clients incapable of maintaining the confidentiality of their credentials (e.g., clients executing on the device used by the resource owner, such as an installed native application or a web browser-based application), and incapable of secure client authentication via any other means.”
Source: OAuth 2.0 specification RFC6749 - section 2.1
This covers most smartphone apps and all browser-embedded apps. Such clients need extra security precautions. In ActivID ActivID Appliance, public clients are supported – but limited to the only with Authorization Code Grant flow with PKCE.
In ActivID Appliance, a public client needs to be explicitly defined as a public client.
Topics in this section:
