Confidential clients must send client credentials with requests to endpoints that require authentication. This includes token, introspection and revocation endpoints.
...
Client registration parameter "token_endpoint_auth_method"
controls what authentication method client is expected to use. If registration parameter is not defined then provider automatically detects type of client credentials and one of "client_secret_basic"
or "
client_secret_form"
is allowed.
Info | ||
---|---|---|
| ||
Since SSO v. 8.10 client registration parameter |
...
Client Secret
Name | Description |
---|---|
client_secret_basic | Client uses HTTP Basic authentication scheme with urlencoded(client_id) and urlencoded(client_secret). Urlencoding requirement can be disabled with |
client_secret_post | Client sends client_id and client_secret as HTML Form parameters |
client_secret_jwt | Client uses JWTs for Client Authentication The JWT is signed with a key derived from client_secret |
Client Private Key
Name | Description |
---|---|
private_key_jwt | Client uses JWTs for Client Authentication The JWT is signed with client's private key Client registration parameter "jwks" is used to communicate client's public key with provider |
JWTs for Client Authentication
Registration parameters
Name | Description |
---|---|
token_endpoint_auth_method | "client_secret_jwt" or "private_key_jwt" |
token_endpoint_auth_signing_alg |
...
Name | Description |
---|---|
client_assertion_type = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" | |
client_assertion | Contains a single JWT |
JWT Claims
Name | Description |
---|---|
iss | Issuer Matches client_id of client |
sub | Subject Matches client_id of client |
aud | Audience Matches issuer identifier |
exp | Expiration time Expiration time must not be more than 60 minutes into future |
jti | JWT ID The jti claim is used to enforce one-time use of JWTs |
...