Confidential Applications
These are considered confidential applications:
- A web application with a secure backend that uses the Authorization Code Flow, Resource Owner Password Flow, or Resource Owner Password Flow with realm support
- A machine-to-machine (M2M) application that uses the Client Credentials Flow
ID tokens
Because confidential applications are capable of holding secrets, you can have ID tokens issued to them that have signed in one of two ways:
- Symmetrically, using their client secret (
HS256) - Asymmetrically, using a private key (
RS256)
Public applications
Public applications cannot hold credentials securely.
Grant types
Public applications can only use grant types that do not require the use of their client secret. They can’t send a client secret because they can’t maintain the confidentiality of the credentials required.
These are public applications:
- A native desktop or mobile application that uses the Authorization Code Flow with PKCE
- A JavaScript-based client-side web application (such as a single-page app) that uses the Implicit Flow grant
ID tokens
Because public applications are unable to hold secrets, ID tokens issued to them must be:
- Signed asymmetrically using a private key (
RS256) - Verified using the public key corresponding to the private key used to sign the token