"Fat Client" refers to any non web browser client, e.g. email reading program (as opposed to web mail) or GUI form filling application (as opposed to web GUI). Fat Client scenario often arises with embedded systems, such as medical devices that need to talk to TAS3 network.
The main security problem in Fat Client Login is that the fat client itself becomes an intermediary to the authentication process, handling sensitive credentials. Some notion of Trusted Computing Path may help to address verifying that the fat client is not compromised.
We recommend using one-time-passwords and the Authentication Service Protocol [SOAPAuthn2] to validate the authentication centrally using an IdP. One-time-passwords effectively solve the intermediary problem.
If Fat Client Login is a requirement, Liberty Advanced Client approach, see [AdvClient] and [SOAPAuthn2], SHOULD be used.