应用程序类型 (OpenID Connect) 是否对应于客户端类型 (OAuth 2.0)？

Question

"OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata" 有一个名为 application_type 的条目，其定义值为 native 和 web。

application_type
   OPTIONAL. Kind of the application. The default, if omitted, is web.
   The defined values are native or web. Web Clients using the OAuth
   Implicit Grant Type MUST only register URLs using the https scheme
   as redirect_uris; they MUST NOT use localhost as the hostname. Native
   Clients MUST only register redirect_uris using custom URI schemes or
   URLs using the http: scheme with localhost as the hostname.
   Authorization Servers MAY place additional constraints on Native
   Clients. Authorization Servers MAY reject Redirection URI values
   using the http scheme, other than the localhost case for Native
   Clients. The Authorization Server MUST verify that all the registered 
   redirect_uris conform to these constraints. This prevents sharing a
   Client ID across different types of Clients.  

这些定义的值是否对应于“RFC 6749 (OAuth 2.0), 2.1. Client Types”中描述的public和confidential？

OAuth defines two client types, based on their ability to
authenticate securely with the authorization server (i.e., ability to
maintain the confidentiality of their client credentials):

confidential
   Clients capable of maintaining the confidentiality of their
   credentials (e.g., client implemented on a secure server with
   restricted access to the client credentials), or capable of secure
   client authentication using other means.

public
   Clients incapable of maintaining the confidentiality of their
   credentials (e.g., clients executing on the device used by the
   resource owner, such as an installed native application or a web
   browser-based application), and incapable of secure client
   authentication via any other means.

如果没有，为什么规范（OpenID Connect 动态客户端注册 1.0）没有指定客户端类型的条目？有没有办法在client registration endpoint 指定客户端类型（公共或机密）？

Answer 1

如果“OpenID Connect Dynamic Client Registration 1.0,2. Client Metadata”中的“Native Clients”表示“本机应用程序 " 在 "RFC 6749 (OAuth 2.0), 2.1 Client Types" 中（是的，显然是这样），本地客户端始终是公共客户端。

如果“OpenID Connect Dynamic Client Registration 1.0,2. Client Metadata”中的“Web 客户端”表示“Web 应用程序 " 在 "RFC 6749 (OAuth 2.0), 2.1 Client Types" 但不包括 "基于用户代理的应用程序"，Web 客户端 总是 机密客户。

使用上面的解释，application_type=native和application_type=web分别对应public和confidential .

但是，application_type的要求：

Web Clients using the OAuth Implicit Grant Type MUST only
register URLs using the https scheme as redirect_uris; they
MUST NOT use localhost as the hostname. Native Clients MUST
only register redirect_uris using custom URI schemes or URLs
using the http: scheme with localhost as the hostname.

与客户端是否“能够维护其凭据的机密性”（来自 RFC 6749）无关。换句话说，重定向 URI 与如何验证客户端无关。因此，在我看来，应用程序类型和客户端类型是不同的概念。

奇怪的是，所有 OAuth 2.0 客户端 都必须符合“redirect_uris”要求中的任何一个（其中一个是针对 Web 客户端 和other 用于 Native Clients），因此当省略 application_type 时，将 'web' 用作默认值可能是不合适的。恕我直言，当省略 application_type 时，不应假定“本机”或“网络”。但是，我可能会遗漏一些东西。是否有任何理由对所有 OpenID Connect 客户端施加“redirect_uris”要求？

无论如何，我的结论是应用程序类型和客户端类型是不同的。并且我希望将client_type（公开或机密）添加到客户端元数据列表中，并且当client registration requests中不包含application_type时，既不使用'native'也不使用'web'作为默认值。