Public, e.g. native or mobile application. Cannot store a secret confidentially, but can keep runtime data reasonably secure.
When using the OAuth2 Authorization Code Grant, PKCE is required, but in distinction to the public_spa client type, a refresh token
is issued.
Public, browser based client. Cannot store a secret confidentially due to lack of backend server component. Typically a single page application. When using the OAuth2 Authorization Code Grant, PKCE is required, and wicked will not return a refresh token.
Generated using TypeDoc
Confidential client, i.e. a client which can keep the client secret securely stored in the backend. Typical session-based applications.