AM 7.4.0

OIDC client authentication

OIDC clients use the authentication methods described in OAuth 2.0 client authentication.

OIDC clients must set the authentication method in their profile. In the AM admin UI, go to Realms > Realm Name > Applications > OAuth 2.0 > Advanced and select the method in the Token Endpoint Authentication Method drop-down list:

Method Description

client_secret_basic (default)

The client sends its credentials in an HTTP Basic Authorization header.


The client sends its credentials as client_id and client_secret form parameters.

When a client authenticates with form parameters, the server can store POST data on the user-agent in an OAUTH_REQUEST_ATTRIBUTES cookie. AM uses the cookie to continue the authentication process across redirects. It marks the cookie for deletion on the next successful OAuth 2.0 authorization.


The client is public and does not authenticate.

Public clients do not authenticate even if the authentication method is different from none.


The client sends its credentials as a JSON Web Token (JWT).


The client uses a self-signed certificate for mutual TLS authentication.


The client uses a CA-signed certificate for mutual TLS authentication.

Copyright © 2010-2024 ForgeRock, all rights reserved.