Client in device authorization flow should be considered public

[srook]

When using device authorization flow, device initiating the flow is public client and should be able to access endpoints /oauth2/device_authorization and /oauth2/token without providing additional authorization.

To Reproduce
With following configuration:

oauth2:
  authorizationserver:
    issuer: http://localhost:8070
    client:
      test-client:
        registration:
          client-id: test-client
          client-name: Test Client
          client-authentication-methods:
            - none
          authorization-grant-types:
            - urn:ietf:params:oauth:grant-type:device_code
            - refresh_token
          scopes:
            - test.read

Requests

curl --request POST \
  --url http://localhost:8070/oauth2/device_authorization \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data client_id=test-client \
  --data scope=test.read

and

curl --request POST \
  --url http://localhost:8070/oauth2/token \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data device_code=device-code-returned-by-authorization-server \
  --data client_id=test-client \
  --data grant_type=urn:ietf:params:oauth:grant-type:device_code

Expected behavior
Request should return successful response since client is public and should not be required to send additional Authorization header.

Currently only Authorization Code with PKCE flow does not require sending additional authorization.

[jgrandja]

@srook Closing this as duplicate of gh-1522. Please see this comment for details.