For single-page-apps there is also DPoP [https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop-04] which provides some similar capabilities using ephemeral keys. The issue I see with DCR and SPAs is maintaining the keys in the browser in a persistent way.On Wed, Oct 6, 2021 at 7:11 AM Igor Zboran <izboran@gmail.com> wrote:Hi everyone,_______________________________________________
Please take a look at https://github.com/uma-email/poc#protected-dynamic-client-registration.
This may solve the single page applications and native applications problem with client secrets. I mean, the client is public with respect to the IdP, and at the same time – after dynamic registration – confidential with respect to the AS.Regards
-Igor
WG-UMA mailing list
WG-UMA@kantarainitiative.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__kantarainitiative.org_mailman_listinfo_wg-2Duma&d=DwICAg&c=sWW_bEwW_mLyN3Kx2v57Q8e-CRbmiT9yOhqES_g_wVY&r=cl87BDJWy_Dken1-bgbUZNI3uuMUfMrWjS7cLmJhvw0&m=_EtItqJQ36olWtgJjHi0gFmdLoJJkAFELf3CKJ6dPoI&s=usuWOpY5zGwrCIUtJ1A8HoW4KcxwO41l_pZt-m1Iwh8&e=