Provide guidance on use of OAuth 2 flows

[mmccool]

In the Security and Privacy Guidelines/Best Practices, we should provide explicit guidance on which flows to use when. In particular, the "client" flow is the only one suitable when a human is not in the loop. This is particularly important for automated scenarios. We also want to state that scripts (using the Scripting API) should NOT be involved in security negotiations; this needs to happen "outside" such scripts.

See https://github.com/w3c/wot/blob/master/PRESENTATIONS/2020-10-online-f2f/2020-10-22-WoT-F2F-Security-OAuth2-Aguzzi.pdf

[mmccool]

Note there is now a section in the Use Cases and Requirements document on OAuth2: https://w3c.github.io/wot-usecases/#oauth
We have to at least cite this in our security docs and in Best Practices recommend when particular flows should be used (e.g. device flow for IoT devices...).
Note that I'd like to make Best Practices normative for Profiles (MUST), but just strong suggestions otherwise (since the security best practices doc is just informative we can't use RFC2119 assertions...). Technically we probably have to restate the relevant assertions in Profiles. So what should our recommendations be?

[mmccool]

Some possible recommendations:

• Use device flow for automatic systems that provide authorizations without humans in the loop, i.e. in a factory automation system using an automatic key management system.
• Do not use deprecated implicit and password flows. Note there are "assertions" about this already in the use cases document but they are not appropriate there (it is an informative document)

[mmccool]

@Citrullin has volunteered to copy assertions about OAuth2 from the Use Cases document to the Best Practices document as a starting point for further discussion (please include "Resolves #194" in the PR description). Also please comment on this issue for additional input.

[Citrullin]

Opened a PR in the best-practices repository. Review version.

[Citrullin]

Close, since PR is merged.