When dealing with API clients, it is important to distinguish between the different types of clients which are using an API. This is especially important when looking at the different OAuth2.0 flows. OAuth2.0 in the basic specification only distinguishes two different types of clients: public and confidential clients.
Wicked also distinguishes two different types of public clients: single page applications (browser based applications) and native or mobile applications, which usually run on a client's device, e.g. as a desktop application, or as a mobile application on an Android or iOS device.
This help page describes what the nature of each type of client is.
A confidential client is a client which calls the APIs from a confidential environment, i.e. typically from the backend of a web server. This means that the client can keep a secret confidential, in the OAuth 2.0 case the client secret.
The OAuth2.0 Authorization Code Flow in the standard case requires a confidential client to be able to work. The Client Credentials Flow also requires a confidential client, as it needs the use of both the client ID and client secret to obtain an access token.
Another typical API client is the so-called Single Page Application (SPA). This is usually a fully browser based application which makes use of API calls to get and set the data it needs. Due to the fact that an SPA runs fully in a user's browser, the source code, and so also the OAuth2.0 client credentials (id and secret), can be read out by anybody reading the source code.
Declaring an application as "Public (SPA)" has the following effect on wicked's Authorization Server:
/token endpoint, the authorization server will reject calls containing also the client secret; the request must be performed without the secret; the PKCE verifier serves as an extra verificationThe (currently) last class of client types are native and mobile applications. These are in last consequence also public clients in the sense that the software leaves the vendor and is physically in the hands of the end user, albeit in this case in the form of an application installed on the user's device (PC, mobile phone, tablet).
In terms of declaring an application confidential, this is not enough; it is possible to reverse engineer such applications, so the entire class of clients are still called "public" clients.
Declaring an application as "Public (Native)" has the following effect on wicked's Authorization Server:
/token endpoint, the authorization server will reject calls containing also the client secret; the request must be performed without the secret; the PKCE verifier serves as an extra verificationThe reasons why in this case the refresh token is issued, even if this is a public client are the following: