Client application authentication
OAuth 2.0 client applications send their authentication credentials using one of the following mechanisms:
-
The Authorization header (HTTP Basic) (default)
Authentication depends on the Client Type defined in the Advanced Identity Cloud admin UI under Applications > Name > Sign On > General Settings > Advanced > Authentication:
- Confidential clients
-
These applications include websites and services that make secure connections to Advanced Identity Cloud.
They can protect their client secret or JSON Web Token (JWT).
You configure the authentication method for a confidential client in the Advanced Identity Cloud admin UI under Applications > Name > Sign On > General Settings > Advanced > Authentication as the Token Endpoint Authentication Method.
When a client authenticates with form parameters, the server can store POST data on the user-agent in an
OAUTH_REQUEST_ATTRIBUTEScookie. Advanced Identity Cloud uses the cookie to continue the authentication process across redirects. It marks the cookie for deletion on the next successful OAuth 2.0 authorization. - Public clients
-
These are single-page applications (SPAs) and applications running on devices.
They cannot protect secrets.
Public clients identify themselves by client ID, but do not fully authenticate.
Public OpenID Connect clients must specify
noneas their authentication method.