Should enterprise IDPs be required to support public clients

[gffletch]

The current proposed stable requirements state the following:

Requirements for OpenID Providers

OpenID Providers:

...

• MUST support public clients as defined in [RFC6749];

If an enterprise is not willing to support public clients (most commonly this is just native applications), what is the enterprise IDP supposed to do from a conformance perspective? Allow them for testing and then turn off the capability? Require all "public" clients to use DCR to move to being a "confidential" client?

How many SaaS RPs are only public clients? Is that really a "good thing" if they are a service and can protect a secret?

If the key goal is to support native applications (most commonly mobin apps) that have to pre-register (currently a requirement) and also register the callback URL (also a current requirement) and make the registered callback URL a "claimed URL" as in an iOS universal link or an Android App Link (not currently a requirement) then I think we should not point to RFC 6749 but rather RFC 8252 OAuth 2.0 for Native Apps. I'm not sure we should support web applications as public clients.

[dickhardt]

If PKCE is required, then the security posture of a public client using a registered redirect uri is pretty much the same as a confidential client is it not @gffletch ?

[gffletch]

So if the goal is to prevent client impersonation, then no, they aren't the same. If the registered redirect url is also registered on the mobile devices as a universal link (iOS) then it's close. However, Android isn't as secure for "claimed URLs" on the device.

For me, the main security issue with "public" clients is the issue of client impersonation.

[timcappalli]

Android isn't as secure for "claimed URLs" on the device

iOS Universal Links and Android App Links are nearly identical. The core difference is that on Android, a user can set their own mappings if they choose.

[gffletch]

Are you saying that Android closed the bug where if the original app is NOT installed on the android device then another app can no longer claim that URL?

And if the did fix it, how many OS versions back did they take the fix? Android does not follow the same upgrade path that iOS does.