A true public client doesn't have a client_secret or its equivalent, so it
would have token_endpoint_auth_method = none. A confidential client can't use
the implicit flow (since you can't send a client_secret to the auth endpoint),
so there's a bit of overlap there.
Would it be useful to have a
As I understand it (corrections welcome!) rfc6749 says that public clients:
1. are defined functionally, as clients "incapable of maintaining the
confidentiality of their credentials" [section 2.1]
2. "MAY establish a client authentication method" if the server allows.
e.g. client password auth
