Client credentials
- Former user (Deleted)
Confidential clients must send client credentials with requests to endpoints that require authentication. This includes token, introspection and revocation endpoints.
Two types of client credentials are defined: symmetric client secret and asymmetric client private key
Client registration parameter "token_endpoint_auth_method" controls what authentication method client is expected to use. If registration parameter is not defined then provider automatically detects type of client credentials and one of "client_secret_basic" or "client_secret_form" is allowed.
Client Secret
| Name | Description |
|---|---|
| client_secret_basic | Client uses HTTP Basic authentication scheme with client_id and client_secret |
| client_secret_post | Client sends client_id and client_secret as HTML Form parameters |
| client_secret_jwt | Client uses JWTs for Client Authentication The JWT is signed with a key derived from client_secret |
Client Private Key
| Name | Description |
|---|---|
| private_key_jwt | Client uses JWTs for Client Authentication The JWT is signed with client's private key Client registration parameter "jwks" is used to communicate client's public key with provider |
JWTs for Client Authentication
Registration parameters
| Name | Description |
|---|---|
| token_endpoint_auth_method | "client_secret_jwt" or "private_key_jwt" |
| token_endpoint_auth_signing_alg |
Parameters
| Name | Description |
|---|---|
| client_assertion_type = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" | |
| client_assertion | Contains a single JWT |
JWT Claims
| Name | Description |
|---|---|
| iss | Issuer Matches client_id of client |
| sub | Subject Matches client_id of client |
| aud | Audience Matches issuer identifier |
| exp | Expiration time Expiration time must not be more than 60 minutes into future |
| jti | JWT ID The jti claim is used to enforce one-time use of JWTs |