Add requirements for native clients

[martin-lindstrom]

A mobile app, or a single-page web application, that does not have a backend is a special type of client that needs extra care within OIDC and OAuth2 to function in a safe manner. Up until now we have focused on "full clients", i.e., client applications that have backends (where most of the security related operations may be carried out), but we need to have some specific requirements regarding the native client type.

Suggestion:

• In the intro section make a definition of "full" vs "native" clients.
• Where applicable, point out specific requirements for "native" clients.

[per-mutzell]

This is a good thing (i.e. to differentiate support of PKCE and the like)

Though, I think we should consider use the terms "confidential client" and "public client" as they are used in OIDC Core, so we don't have to define new terms in the profile. I would avoid "regular" och "full" clients.
We can always add some clarifying text to those terms in the profile (concrete examples) to make it easier to read.