It is recommended that the current language in the OIDC profile regarding client authentication to the token endpoint (see requirement ODP-RP01) should be clarified as follows:
"Confidential clients (as defined in Section 2.1 of RFC 6749) SHOULD authenticate to the authorization server’s token endpoint using the private_key_jwt method. Confidential clients that cannot support the private_key_jwt method MUST use either the client_secret_basic or client_secret_post methods.
Public clients (as defined in Section 2.1 of RFC 6749), MUST use Proof Key for Code Exchange (PKCE) as described in RFC 7636, [iGov-OAuth] and [iGov-OIDC] using the S256 code challenge method. The plain code challenge method MUST NOT be used."
It is recommended that the current language in the OIDC profile regarding client authentication to the token endpoint (see requirement ODP-RP01) should be clarified as follows:
"Confidential clients (as defined in Section 2.1 of RFC 6749) SHOULD authenticate to the authorization server’s token endpoint using the private_key_jwt method. Confidential clients that cannot support the private_key_jwt method MUST use either the client_secret_basic or client_secret_post methods.
Public clients (as defined in Section 2.1 of RFC 6749), MUST use Proof Key for Code Exchange (PKCE) as described in RFC 7636, [iGov-OAuth] and [iGov-OIDC] using the S256 code challenge method. The plain code challenge method MUST NOT be used."