Authenticate clients with form parameters
Clients that have a client secret can send the client ID in the client_id
form parameter
and the secret in the client_secret
form parameter in the body of the request.
For example:
$ curl \
--request POST \
--data "client_id=myClient" \
--data "client_secret=forgerock" \
…
This is the simplest way to authenticate to any of the OAuth 2.0 endpoints, and the most insecure, since the client credentials are exposed. Ensure that communication with the authorization server happens over a secure protocol to protect the secret, and use this method in production only if the other methods are not available for your client.
OpenID Connect clients must also specify the authentication method they are using in their client profiles. See OpenID Connect client authentication. |