Client credentials

Confidential clients must send client credentials with requests to endpoints that require authentication. This includes token, introspection and revocation endpoints.

Two types of client credentials are defined: symmetric client secret and asymmetric client private key

Client registration parameter "token_endpoint_auth_method" controls what authentication method client is expected to use. If registration parameter is not defined then provider automatically detects type of client credentials and one of "client_secret_basic" or "client_secret_form" is allowed.

Client Secret

NameDescription
client_secret_basicClient uses HTTP Basic authentication scheme with client_id and client_secret
client_secret_postClient sends client_id and client_secret as HTML Form parameters
client_secret_jwt 

Client uses JWTs for Client Authentication

The JWT is signed with a key derived from client_secret

Client Private Key

NameDescription
private_key_jwt

Client uses JWTs for Client Authentication

The JWT is signed with client's private key

Client registration parameter "jwks" is used to communicate client's public key with provider

JWTs for Client Authentication

Registration parameters

NameDescription
token_endpoint_auth_method

"client_secret_jwt"

or

"private_key_jwt"

token_endpoint_auth_signing_alg


Parameters

NameDescription
client_assertion_type = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
client_assertionContains a single JWT

JWT Claims

NameDescription
iss

Issuer

Matches client_id of client

sub

Subject

Matches client_id of client

aud

Audience

Matches issuer identifier

exp

Expiration time

Expiration time must not be more than 60 minutes into future

jti

JWT ID

The jti claim is used to enforce one-time use of JWTs

References