Denote whether OAuth 2 clients are public or confidential

Description

Public OAuth clients have different security considerations than confidential OAuth clients (before this ticket is completed, all clients in Synapse should be considered confidential). Thus, we should have a way to determine if an OAuth client is public or confidential. This may be indicated by the creator of the client at the time of creation.

Sample of specific behavior that only applies to public clients:

  • Public clients may or may not be issued client secrets (they provide no security benefit)

  • Public clients should be required to use PKCE

  • Consent records should not be saved for public clients

Environment

None

Assignee

Unassigned

Reporter

Nick Grosenbacher

Labels

None

Validator

Bruce Hoff

Development Area

None

Release Version History

None

Epic Link

Priority

Major
Configure