Why are public clients optional?

[sdesen]

[8.1. ](https://datatracker.ietf.org/doc/html/draft-parecki-oauth-identity-assertion-authz-grant-05#section-8.1)[Client Authentication](https://datatracker.ietf.org/doc/html/draft-parecki-oauth-identity-assertion-authz-grant-05#name-client-authentication)
This specification SHOULD only be supported for confidential clients. Public clients SHOULD redirect the user with an OAuth 2.0 Authorization Request.

Why SHOULD and not MUST?

[mcguinness]

Should we consider adding support for ID-JAG as a response_type for an authorization request? This would enable public clients to obtain an ID-JAG without needing token exchange. The constraint around confidential client IIRC was to ensure only the client that was the audience of the id_token is the presenter of the assertion in the token exchange request.

I see value unbundling ID-JAG from token exchange to help standardize ID-JAG as a cross-domain identity assertion so that id_tokens are not used from cross-domain use cases.

Additionally there is a draft for OpenID Connect Key Binding that would allow us to drop requirement of a confidential client as the client could use DPOP when presenting the id_token instead of client authentication.