We need to update the new column to true for old values. I think Default value may not update the column old data to true?

So this is a break change? Or it's a bug of previous code?

``` // Sync the new struct changes to database, this method will automatically add // table, column, index, unique. but will not delete or change anything. // If you change some field, you should change the database manually. ``` Only the newly added field is needed here.

Why this ValidateClientSecret is skipped?

Where is the section about how the client type affects the redirection URI? I didn't find the details. ``` 8.3. Loopback Redirect Considerations Loopback interface redirect URIs use the "http" scheme (i.e., without Transport Layer Security (TLS)). This is acceptable for loopback interface redirect URIs as the HTTP request never leaves the device. Clients should open the network port only when starting the authorization request and close it once the response is returned. Clients should listen on the loopback network interface only, in order to avoid interference by other network actors. While redirect URIs using localhost (i.e., "http://localhost:{port}/{path}") function similarly to loopback IP redirects described in Section 7.3, the use of localhost is NOT RECOMMENDED. Specifying a redirect URI with the loopback IP literal rather than localhost avoids inadvertently listening on network interfaces other than the loopback interface. It is also less susceptible to client-side firewalls and misconfigured host name resolution on the user's device. ```

According to the RFC: OAuth defines two client types. So to match the document, could the field be "ClientType=confidential" or "ClientType=public" ?

> setting existing rows to true How can I achieve this? How can I test this?

The old behaviour is Confidential=true. Is that okay for compability? The alternative would be to call the field Public so the old behaviour is Public=false. What does the xorm default do? Does that make any difference?