In OAuth 2.0, we can have many different types of Client Applications that users can use to access Resource Server’s resources. For example, we have native mobile applications, web applications including Single Page Application, console or backend applications, etc. These Client Applications will need to register with Authorization Server and use Client ID information provided by Authorization Server to get access token. Some grant types in OAuth 2.0 require us to provide also the Client Secret, which the Client Application is provided by the Authorization Server along with the Client Id, such as grant type Client Credentials.

Not all Client Applications can securely store Client Secret. For example, Native mobile applications or Single Page Applications. Therefore, OAuth 2.0 defines two different types of clients: confidential clients and public clients.

Confidential clients are clients that can store Client Secret securely, for example, if we have web applications with both backend and frontend, Client Secret can be stored on the backend side, no one can get this information.

In contrast, public clients are clients that cannot guarantee the secure storage of Client Secret, such as native mobile applications or Single Page Applications, users can decode or view source code to view Client Secret information. For these clients, we need to use grant types without Client Secret such as Authorization Code grant type with PKCE guys!