The OAuth 2.0 specification (Section 2.1) defines two client types, based on their ability to maintain the confidentiality of their client credentials:
Confidential - Clients capable of maintaining the confidentiality of their credentials or capable of secure client authentication using other means.
Public - Clients that do not maintain the confidentiality of their credentials.
Going further with the clarification we can recognize the following applications:
Web applications - A web application is a confidential client running on a web server. The client credentials, as well as any access token issued to the client, are stored on the web server and are not exposed to or accessible by the resource owner.
Example: Web applications that generate HTML on the server
User-agent based applications - A user-agent-based application is a public client in which the client code is downloaded from a web server and executes within a web browser. Protocol data and credentials are easily accessible (and often visible) to the resource owner.
Example: SPA or Single Page Applications. Web applications that generate HTML in the client's browser and call a different API to send and receive the data.
Native applications - A native application is a public client installed and executed on the device used by the resource owner. It is assumed that any client authentication credentials included in the application can be extracted. On the other hand, dynamically issued credentials such as access tokens or refresh tokens can receive an acceptable level of protection. At a minimum, these credentials are protected from hostile servers with which the application may interact.
Example: Mobile applications
This classification is important because different client applications will need to implement authentication process in a slightly different way and will also have different features offered by the identity provider based on their security level. Now let’s move on to Tokens!