Are your APIs really secure? Are you sure?
Authors: D. Fett and Dima Postnikov.
As I stated, use a public client (i.e. w/o a secret). That’s the same recommendation as for native apps (https://tools.ietf.org/html/bcp212). Clearly, the AS must take this into consideration when determining the level of trust it puts into the client‘s identity.