OpenID Connect Client Authentication

OAuth 2.0 and OpenID Connect clients can use the same authentication methods described in OAuth 2.0 Client Authentication.

However, when using OpenID Connect, you must specify in the client profile the type of authentication the client is using. To configure the authentication method, go to Realms > Realm Name > Applications > OAuth 2.0 > Advanced, and select one of the following options in the Token Endpoint Authentication Method drop down:

  • client_secret_post, if the client sends its credentials as form parameters.

  • client_secret_basic, if the client sends its credentials in a basic authorization header.

  • private_key_jwt, if the client sends its credentials as a JWT.

  • tls_client_auth, if the client uses a CA-signed certificate for mutual TLS authentication.

  • self_signed_tls_client_auth, if the client uses a self-signed certificate for mutual TLS authentication.

  • none, if the client is public.

    AM will not require a public client to authenticate even if the authentication method is set to a value different from none.

During authentication by HTTP POST without a client_id parameter, AM stores the POST data on the user-agent in an AUTH_REQUEST_ATTRIBUTES cookie. This cookie lets AM continue the authentication process across redirects. AM marks the cookie for deletion on the next successful OAuth 2.0 authorization.