Identity Cloud

OpenID Connect client authentication

OAuth 2.0 and OpenID Connect clients can use the same authentication methods described in OAuth 2.0 client authentication.

However, when using OpenID Connect, you must specify in the client profile the type of authentication the client is using. To configure the authentication method, go to Realms > Realm Name > Applications > OAuth 2.0 > Advanced, and select one of the following options in the Token Endpoint Authentication Method drop down:

  • client_secret_post, if the client sends its credentials as form parameters.

  • client_secret_basic, if the client sends its credentials in a basic authorization header.

  • private_key_jwt, if the client sends its credentials as a JWT.

  • tls_client_auth, if the client uses a CA-signed certificate for mutual TLS authentication.

  • self_signed_tls_client_auth, if the client uses a self-signed certificate for mutual TLS authentication.

  • none, if the client is public.

    AM will not require a public client to authenticate even if the authentication method is set to a value different from none.

When a client authenticates with form parameters, AM can store POST data on the user-agent in an OAUTH_REQUEST_ATTRIBUTES cookie. AM uses the cookie to continue the authentication process across redirects. AM marks the cookie for deletion on the next successful OAuth 2.0 authorization.

Copyright © 2010-2023 ForgeRock, all rights reserved.