don't require confidential clients to use symmetric authn

[isaacvetter]

https://github.com/IHE/ITI.IUA/blob/master/IHE_ITI_Suppl_IUA.md#341-iua-actors-transactions-and-content-modules

This profile requires the use of a client_id for client identification and a client_secret used with the HTTP Basic Authentication scheme for client authentication of confidential and credentialed clients, if no other methods for identification and authentication are used.

We anticipate confidential clients in the auth code flow to increasingly move away from symmetric authentication to signed JWTs. This profile shouldn't restrict that.

Priority:

• Medium: Significant issue or clarification. Requires discussion, but should not lead to long debate.

[joostreuzel]

The intention is not to restrict it. Authorization servers should at minimum support client_id and client_secret based authentication, but may support alternative methods. Support for these methods can be published through the meta-data document. If that needs to be phrased better, please suggest an improvement.

[JohnMoehrke]

we should make clear this is a minimum, not a restriction.