Client authentication for third party applications for oauth2.0 authorization

In our application we have an authorization server that holds user's data. Some third party application needs to access this data - normally through a user session (webapp) where the resource owner authenticates itself.

However the third party also needs to access some data "on its own". Due to legal requirements it needs to both keep up to date to changes in the data after the resource owner has allowed access the first time; and it needs to keep a local copy and reject changes if deemed necessary.

However, besides how this might interact with who is the actual resource owner, this means that the third party also needs to authenticate itself to the authorization server, and act on its own.

I am however confused about this. If I understand the specification correctly this server would be considered a "public client", as there's no confidential information. As any login method would have to be "coded" into the third party's device/server.

However in section 2.3 there is this paragraph:

> The authorization server MAY establish a client authentication method
> with public clients. However, the authorization server MUST NOT rely
> on public client authentication for the purpose of identifying the
> client.

This really confuses me: how would I ever identify the third party server, and issue rights to the third party to access the data it has registered to?

This is pretty common. Another scenario might be a doctor using a health application. In this use case, the doctor's identity is important but he / she won't own all the data.

The medical app would receive an access token with an appropriate scope, eg patients, after which it can call medical APIs with the access token.

It feels like in your scenario you need to issue such a token to the third party app. The token(s) would then be part of its web session.