Problems with authorization servers that don't support public clients

[hickford]

https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-09.html

Authorization servers MUST record the client type in the client registration details in order to identify and process requests accordingly

Unfortunately many authorization servers don't record client type. Some authorization servers explicitly say that they don't support public clients. Is this okay? Banning public clients tempts app developers to bend the rules and register a public client as a confidential client, compromising security.

SourceHut bans public clients https://man.sr.ht/meta.sr.ht/oauth.md

Only confidential clients are supported; public clients are not allowed

Azure DevOps bans public clients https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/azure-devops-oauth?view=azure-devops

Can I use OAuth with my mobile phone app? No. Azure DevOps Services only supports the web server flow... as [public clients] can't securely store the app secret.

GitHub doesn't record client type but seems to deduce it based on redirect URI https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/creating-an-oauth-app

[hickford]

Mailing list discussion https://mailarchive.ietf.org/arch/msg/oauth/iJ6WAbJzHWiGmaFO-qAzg30B_28/

Such servers typically assume all clients to be confidential, neglecting security measures appropriate for public clients.

[aaronpk]

I don't think there is any requirement in the spec that an AS has to support both types of clients, did you see any language to the contrary?

[aaronpk]

Add an explicit mention in https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-12.html#section-2.1 that an AS doesn't have to support public clients.