The current NAESB REQ.21 ESPI standard only supports OAuth 2.0 Confidential Clients. While it is possible for OAuth public clients to be used, it requires the use of a web server proxy which complicates the interface and development for Public Clients.
OAuth 2.0 introduced RFC 7636 - Proof Key for Code Exchange by OAuth Public Clients which is an extension to the OAuth Authorization Code request to prevent CSRF and authorization code injection attacks.
The current NAESB REQ.21 ESPI standard only supports OAuth 2.0 Confidential Clients. While it is possible for OAuth public clients to be used, it requires the use of a web server proxy which complicates the interface and development for Public Clients.
OAuth 2.0 introduced RFC 7636 - Proof Key for Code Exchange by OAuth Public Clients which is an extension to the OAuth Authorization Code request to prevent CSRF and authorization code injection attacks.