Client credentials - SSO
Confidential clients must send client credentials with requests to endpoints that require authentication. This includes token, introspection and revocation endpoints.
Two types of client credentials are defined: symmetric client secret and asymmetric client private key.
Client registration parameter "token_endpoint_auth_method" controls what authentication method client is expected to use. If registration parameter is not defined then provider automatically detects type of client credentials and one of "client_secret_basic" or "client_secret_form" is allowed.
Public clients
Since SSO v. 8.10 client registration parameter "token_endpoint_auth_method" value "none" is supported to indicate a public client. These clients are not entitled to send client authentication but client identification only. In this case client sends client_id as form POST data.
Client Secret
| Name | Description |
|---|---|
| client_secret_basic | Client uses HTTP Basic authentication scheme with client_id and client_secret |
| client_secret_post | Client sends client_id and client_secret as HTML Form parameters |
| client_secret_jwt | Client uses JWTs for Client Authentication The JWT is signed with a key derived from client_secret |
Client Private Key
| Name | Description |
|---|---|
| private_key_jwt | Client uses JWTs for Client Authentication The JWT is signed with client's private key Client registration parameter "jwks" is used to communicate client's public key with provider |
JWTs for Client Authentication
Registration parameters
| Name | Description |
|---|---|
| token_endpoint_auth_method | "client_secret_jwt" or "private_key_jwt" |
| token_endpoint_auth_signing_alg |
Parameters
| Name | Description |
|---|---|
| client_assertion_type = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" | |
| client_assertion | Contains a single JWT |
JWT Claims
| Name | Description |
|---|---|
| iss | Issuer Matches client_id of client |
| sub | Subject Matches client_id of client |
| aud | Audience Matches issuer identifier |
| exp | Expiration time Expiration time must not be more than 60 minutes into future |
| jti | JWT ID The jti claim is used to enforce one-time use of JWTs |