First of all, thanks @ctron for this wonderful tool. I want to quickly outline my usecase for oidc-cli and discuss one limitation I encoutered.

Usecase
I use oidc-cli to obtain an access token from Keycloak. Then, I swap the token for an AccessToken using MinIOs STS.

I noticed that MinIO requires its OIDC clients to be confidential, i.e. use a client secret. It supports the Authorization Code Flow and the Client Credentials Flow (aka Service Account Roles in Keycloak).

The latter one works with oidc-cli, but does not make much sense, since I want the end user to authenticate itself and not the OIDC client.

Issue
Is there a particular reason why the client types in oidc-cli are named "confidential" and "public" instead of using the OIDC flow names?
What I need in the MinIO usecase described above, is a confidential client (i.e. a client sending its client secret) via Authorization Code Flow.
I think this is not the typical usecase, but should be supported by the OIDC spec.

What do you think?