应用程序类型(OpenID连接)是否与客户端类型(OAuth 2.0)相对应？

Question

"OpenID连接动态客户端注册1.0，2.客户元数据“有一个名为2.客户元数据的条目，其定义值为本机和web。

application_type
   OPTIONAL. Kind of the application. The default, if omitted, is web.
   The defined values are native or web. Web Clients using the OAuth
   Implicit Grant Type MUST only register URLs using the https scheme
   as redirect_uris; they MUST NOT use localhost as the hostname. Native
   Clients MUST only register redirect_uris using custom URI schemes or
   URLs using the http: scheme with localhost as the hostname.
   Authorization Servers MAY place additional constraints on Native
   Clients. Authorization Servers MAY reject Redirection URI values
   using the http scheme, other than the localhost case for Native
   Clients. The Authorization Server MUST verify that all the registered 
   redirect_uris conform to these constraints. This prevents sharing a
   Client ID across different types of Clients.  

这些定义的值是否对应于“confidential (OAuth 2.0)，2.1。客户类型”中描述的公共和2.1。客户类型？

OAuth defines two client types, based on their ability to
authenticate securely with the authorization server (i.e., ability to
maintain the confidentiality of their client credentials):

confidential
   Clients capable of maintaining the confidentiality of their
   credentials (e.g., client implemented on a secure server with
   restricted access to the client credentials), or capable of secure
   client authentication using other means.

public
   Clients incapable of maintaining the confidentiality of their
   credentials (e.g., clients executing on the device used by the
   resource owner, such as an installed native application or a web
   browser-based application), and incapable of secure client
   authentication via any other means.

如果不是，为什么规范(OpenID连接动态客户端注册1.0)没有一个条目来指定客户端类型？是否有任何方法在客户端注册端点中指定客户端类型(公共或机密)？

Answer 1

如果“本机客户端”在"OpenID连接动态客户端注册1.0，2.客户元数据“中的意思是"RFC 6749 (OAuth 2.0)，2.1客户类型”中的“原生应用程序”(显然是这样的)，那么原生客户端总是公共客户端。

如果"Web Clients“在"OpenID连接动态客户端注册1.0，2.客户元数据”中的意思是"RFC 6749 (OAuth 2.0)，2.1客户类型“中的"web应用程序”，但不包括“基于用户代理的应用程序E 219”，则Web客户端始终是客户端。

利用上述解释，application_type=native和application_type=web分别对应于公开和保密。

但是，application_type的要求是：

Web Clients using the OAuth Implicit Grant Type MUST only
register URLs using the https scheme as redirect_uris; they
MUST NOT use localhost as the hostname. Native Clients MUST
only register redirect_uris using custom URI schemes or URLs
using the http: scheme with localhost as the hostname.

与客户是否“有能力维护其证书的保密性”无关(来自RFC 6749)。换句话说，重定向URI与如何验证客户端无关。因此，在我看来，Application和Client是不同的概念。

奇怪的是，所有OAuth 2.0客户端都必须符合“redirect_uris”的任何一种要求(一种是针对Web客户端，另一种是针对原生客户端)，因此当省略application_type时，使用“web”作为默认值可能是不合适的。当省略application_type时，不应假设“本地”或“web”都是IMHO。但是，我可能漏掉了什么。是否有任何理由将“redirect_uris”要求强加于所有OpenID Connect客户端

总之，我的结论是，应用程序类型和客户端类型是不同的。我希望client_type (公共或机密)被添加到客户机元数据列表中，并且当application_type不包含在客户注册请求中时，既不使用‘原生’也不使用'web‘作为默认值。