Authenticating Clients Using Form Parameters

Clients that have a client secret can send the client ID in the client_id form parameter and the secret in the client_secret form parameter in the body of the request. For example:

$ curl \
--request POST \
--data "client_id=myClient" \
--data "client_secret=forgerock" \

This is the simplest way to authenticate to any of the OAuth 2.0 endpoints, and the most insecure, since the client credentials are exposed. Ensure that communication with the authorization server happens over a secure protocol to protect the secret, and use this method in production only if the other methods are not available for your client.


OpenID Connect clients must also specify the authentication method they are using in their client profiles. See OpenID Connect Client Authentication.

Read a different version of :