Authenticating Clients Using Authorization Headers
Clients that have a client secret can send the client ID and the secret in a basic authorization header with the base64-encoded value of
client_id:client_secret. For example:
curl \ --header "Authorization: Basic bXlDbGllbnQ6Zm9yZ2Vyb2Nr" \ --request POST \ ...
If the client ID or client secret contains characters that have special meaning in URL-encoded strings, such as percent (%) or plus (+) characters, you must first URL-encode the string before combining them with the colon character and base64-encoding the result. URL-encoding characters that do not have special meaning in URL-encoded strings will still work, but is unnecessary.
For example, for a client named
example.com with a client secret of
URL-encode the client secret value and combine with the colon character. For example:
Note that you should not URL-encode the separating colon character.
Base64-encode the entire string to obtain the basic authorization header. For example,
Ensure that communication with the authorization server happens over a secure protocol to help protect the credentials.
OpenID Connect clients must also specify the authentication method they are using in their client profiles. See OpenID Connect Client Authentication.