stronger client auth at the authorization challenge endpoint needed

[Sakurann]

Implementers SHOULD consider additional measures to limit the risk of client impersonation, such as using attestation APIs available from the operating system.

SHOULD feels too weak in section 9.4 on client auth. AS has to be sure it is talking to the right client. that needs to be defined better:

• pre-assigned client_id + signed request (otherwise, anyone can claim that client_id)
• use attestation based client attestation draft (please point to it)
• etc

[Sakurann]

in general, how the AS determines first partiness is at the core of this draft, but the information about that seems to be scattered across the document - section 9.1, 9.4, 9.8, 5. would be good to consolidate those better.

[Sakurann]

also, it is not very checkable/actionable to say "In order to preserve the security of this specification, the Authorization Server MUST verify the "first-partyness" of the client before continuing with the authentication flow." but then say "This specification is not prescriptive on how the Authorization Server establishes its trust in the first-partyness of the application"

I understand why you do not want to be prescriptive, but being a bit more precise and detailed on how AS can establish "first-partiness" sounds crucial to me