Client credentials - SSO
Confidential clients must send client credentials with requests to endpoints that require authentication. This includes token, introspection and revocation endpoints.
Two types of client credentials are defined: symmetric client secret and asymmetric client private key
Client registration parameter "token_endpoint_auth_method" controls what authentication method client is expected to use. If registration parameter is not defined then provider automatically detects type of client credentials and one of "client_secret_basic" or "client_secret_form" is allowed.
Client Secret
Name | Description |
|---|---|
client_secret_basic | Client uses HTTP Basic authentication scheme with client_id and client_secret |
client_secret_post | Client sends client_id and client_secret as HTML Form parameters |
client_secret_jwt | Client uses JWTs for Client Authentication The JWT is signed with a key derived from client_secret |
Client Private Key
Name | Description |
|---|---|
private_key_jwt | Client uses JWTs for Client Authentication The JWT is signed with client's private key Client registration parameter "jwks" is used to communicate client's public key with provider |
JWTs for Client Authentication
Registration parameters
Name | Description |
|---|---|
token_endpoint_auth_method | "client_secret_jwt" or "private_key_jwt" |
token_endpoint_auth_signing_alg |
Parameters
Name | Description |
|---|---|
client_assertion_type = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" | |
client_assertion | Contains a single JWT |
JWT Claims
Name | Description |
|---|---|
iss | Issuer Matches client_id of client |
sub | Subject Matches client_id of client |
aud | Audience Matches issuer identifier |
exp | Expiration time Expiration time must not be more than 60 minutes into future |
jti | JWT ID The jti claim is used to enforce one-time use of JWTs |