In the OAuth 2.0 framework, clients are categorized based on their ability to maintain the confidentiality of their credentials. A confidential client is an application capable of securely storing its credentials, such as a client secret. Web applications, which run on a secure server, fit this definition perfectly. The server-side nature allows them to protect their credentials from exposure to end-users or other unauthorized parties. This is in contrast to public clients, which cannot guarantee the secrecy of their credentials.

A. Desktop clients run on a user's machine where credentials cannot be securely stored, making them public clients.

B. JavaScript clients run entirely within a user's browser, and their source code is accessible, so they cannot protect a client secret.

C. Web browsers are user-agents that render applications; the client is the application itself, which can be public (JavaScript) or confidential (server-side).

1. Ping Identity Documentation, PingAM > OAuth 2.0 and OIDC > Clients and applications. This section defines client types, stating, "Confidential clients can keep their credentials secret. For example, a Java web application that runs on a server can be a confidential client."

2. Internet Engineering Task Force (IETF), RFC 6749: The OAuth 2.0 Authorization Framework, Section 2.1, "Client Types". This RFC defines confidential clients as "clients capable of maintaining the confidentiality of their credentials (e.g., client secret) or capable of secure client authentication using other means."