We currently support token-exchange for public clients. Exchange is allowed just when public client, which triggered token-exchange, is the holder of the access-token (method AbstractTokenExchangeProvider.forbiddenIfClientIsNotTokenHolder ).

This task is about possibly removing public-clients support from standard token exchange.

The typical use-case for public clients token exchange is possibly only "downscoping" and creating the access-token with limited scopes to be sent to the services. However this use-case can be possibly always replaced with refresh-token grant, which supports "downscoping" as well. As when scope parameter is used with the refresh-token grant, the newly issued access-token contains only scopes included in the scope parameter.

We may possibly document this in the "Upgrading from token exchange V1" and make it clear from the docs that public clients are not supported (Related docs task is #37126 )