Public OAuth clients have different security considerations than confidential OAuth clients (before this ticket is completed, all clients in Synapse should be considered confidential). Thus, we should have a way to determine if an OAuth client is public or confidential. This may be indicated by the creator of the client at the time of creation.
Sample of specific behavior that only applies to public clients:
Public clients may or may not be issued client secrets (they provide no security benefit)
Public clients should be required to use PKCE
Consent records should not be saved for public clients