Confidential clients must send client credentials with requests to endpoints that require authentication. This includes token, introspection and revocation endpoints.
Two types of client credentials are defined: symmetric client secret and asymmetric client private key.
Client registration parameter "token_endpoint_auth_method"
controls what authentication method client is expected to use. If registration parameter is not defined then provider automatically detects type of client credentials and one of "client_secret_basic"
or "
client_secret_form"
is allowed.
Public clients
Since SSO v. 8.10 client registration parameter "token_endpoint_auth_method"
value "none"
is supported to indicate a public client. These clients are not entitled to send client authentication but client identification only. In this case client sends client_id
as form POST data.
Client Secret
Name | Description |
---|---|
client_secret_basic | Client uses HTTP Basic authentication scheme with client_id and client_secret |
client_secret_post | Client sends client_id and client_secret as HTML Form parameters |
client_secret_jwt | Client uses JWTs for Client Authentication The JWT is signed with a key derived from client_secret |
Client Private Key
Name | Description |
---|---|
private_key_jwt | Client uses JWTs for Client Authentication The JWT is signed with client's private key Client registration parameter "jwks" is used to communicate client's public key with provider |
JWTs for Client Authentication
Registration parameters
Name | Description |
---|---|
token_endpoint_auth_method | "client_secret_jwt" or "private_key_jwt" |
token_endpoint_auth_signing_alg |
Parameters
Name | Description |
---|---|
client_assertion_type = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" | |
client_assertion | Contains a single JWT |
JWT Claims
Name | Description |
---|---|
iss | Issuer Matches client_id of client |
sub | Subject Matches client_id of client |
aud | Audience Matches issuer identifier |
exp | Expiration time Expiration time must not be more than 60 minutes into future |
jti | JWT ID The jti claim is used to enforce one-time use of JWTs |