Client is registered with authorisation server

A confidential client is a client that is capable of maintaining credentials and/or obtaining client authentication securely.

A public client is one that is not a confidential client.

A resource owner is an entity that provides credentials to access a protected resource. Both a client and an end user entity could be a resource owners.

• Public client - eg: SPA
• The end user entity is the resource owner
• Client is not authenticated
• Authorisation returns access token
• Access token is available through the front channel
• AT

• Client is the resource owner
• Machine to machine authentication
• There is no end user entity
• AT

• End user entity is the resource owner but the client has access to the resource owners user credential
• Used when the client and authorisation server are trusted and/or developed by the same organisation
• RT AT

• Makes use of back channels for minimum exposure of tokens
• Returns an authorisation token which must be exchanged at the token endpoint

• May be returned the authorisation code and either the id token or authorisation token or both