oauth - 应用程序类型 (OpenID Connect) 是否对应于客户端类型 (OAuth 2.0)？

Question

“OpenID Connect Dynamic Client Registration 1.0 , 2. Client Metadata ”有一个名为 的条目应用程序类型 ，其定义值为 原生 和 网络 .

application_type
   OPTIONAL. Kind of the application. The default, if omitted, is web.
   The defined values are native or web. Web Clients using the OAuth
   Implicit Grant Type MUST only register URLs using the https scheme
   as redirect_uris; they MUST NOT use localhost as the hostname. Native
   Clients MUST only register redirect_uris using custom URI schemes or
   URLs using the http: scheme with localhost as the hostname.
   Authorization Servers MAY place additional constraints on Native
   Clients. Authorization Servers MAY reject Redirection URI values
   using the http scheme, other than the localhost case for Native
   Clients. The Authorization Server MUST verify that all the registered 
   redirect_uris conform to these constraints. This prevents sharing a
   Client ID across different types of Clients.  

这些定义的值是否对应于 公众 和 保密 在“ RFC 6749 (OAuth 2.0), 2.1. Client Types ”中描述？

OAuth defines two client types, based on their ability to
authenticate securely with the authorization server (i.e., ability to
maintain the confidentiality of their client credentials):

confidential
   Clients capable of maintaining the confidentiality of their
   credentials (e.g., client implemented on a secure server with
   restricted access to the client credentials), or capable of secure
   client authentication using other means.

public
   Clients incapable of maintaining the confidentiality of their
   credentials (e.g., clients executing on the device used by the
   resource owner, such as an installed native application or a web
   browser-based application), and incapable of secure client
   authentication via any other means.

如果没有，为什么规范(OpenID Connect 动态客户端注册 1.0)没有指定客户端类型的条目？有没有办法在 client registration endpoint 上指定客户端类型(公共(public)或 secret )？ ?

Answer 1

如果“OpenID Connect Dynamic Client Registration 1.0 , 2. Client Metadata ”中的“ Native Clients ”表示“RFC 6749 (OAuth 2.0) , 2.1 Client Types ”中的“ native 应用程序 ”(是的，显然是这样)，Native客户总是公众 客户。
如果“OpenID Connect Dynamic Client Registration 1.0、2. Client Metadata”中的“ Web 客户端 ”表示“RFC 6749 (OAuth 2.0)、2.1 Client Types”中的“ Web 应用程序 ”，但不包括“”基于用户代理的应用程序 ”，Web 客户端始终为 保密 客户。
使用上述解释，application_type=native 和 application_type=web 分别对应 public 和 secret 。
但是，application_type 的要求:

Web Clients using the OAuth Implicit Grant Type MUST only
register URLs using the https scheme as redirect_uris; they
MUST NOT use localhost as the hostname. Native Clients MUST
only register redirect_uris using custom URI schemes or URLs
using the http: scheme with localhost as the hostname.

与客户端是否“能够维护其凭据的 secret 性”(来自 RFC 6749)无关。换句话说，重定向 URI 与如何验证客户端无关。因此，在我看来，应用程序类型和客户端类型是不同的概念。
奇怪的是所有 OAuth 2.0 客户端 必须符合“redirect_uris”要求中的任何一个(一个用于 Web 客户端，另一个用于本地客户端)，因此当省略 application_type 时，将“web”用作默认值可能是不合适的。恕我直言，当省略 application_type 时，不应假定“ native ”或“网络”。但是，我可能会遗漏一些东西。是否有任何理由对所有 施加“redirect_uris”要求？ OpenID Connect 客户端 ?
无论如何，我的结论是应用程序类型和客户端类型是不同的。我希望将client_type(公共(public)或 secret )添加到客户端元数据列表中，并且当 client registration requests中不包含application_type时，既不使用'native'也不使用'web'作为默认值。 .