Why do we need the clientId when we already have just id in RegisteredClient object and why do we need to have a clientSecret? It’s counterintuitive to me because in the real world apps nobody asks to come up with more and more passwords for each of the user’s devices. Are they only needed for client_credentials grant type? How are the clientId and clientSecret usually dealt with in the real world apps?

I have used the default sample authorization server from the GitHub : default-authorizationserver

The sendAuthorizationConsent in OAuth2DeviceVerificationEndpointFilter allows for page redirection through sendRedirect. I would like to open the settings feature to support more return formats such as JSON, and I’m not sure if this is feasible