authentication method for a client in Oauth.
The client MUST NOT use more than one authentication method in each request.
Client authentication is used for:
If the client type is confidential, the client and authorization server establish a client authentication method suitable for the security requirements of the authorization server.
The authorization server MAY accept any form of client authentication meeting its security requirements.
Confidential clients are typically issued (or establish) a set of client credentials used for authenticating with the authorization server (e.g.:
The authorization server MAY establish a client authentication method with public clients. However, the authorization server MUST NOT rely on public client authentication for the purpose of identifying the client.
The requirements are based:
The authorization server MUST require the use of TLS as described when sending requests using password authentication.
Since this client authentication method involves a password, the authorization server MUST protect any endpoint utilizing it against brute force attacks.
Clients in possession of a client password MAY use the HTTP Basic authentication scheme to authenticate with the authorization server where:
They must be both encoded using the application/x-www-form-urlencoded encoding algorithm per Appendix B
For example, the header authorization:
Authorization: Basic <credentials>
Authorization: Basic czZCaGRSa3F0Mzo3RmpmcDBaQnIxS3REUmJuZlZkbUl3
Including the client credentials in the request-body using the two parameters is NOT RECOMMENDED and SHOULD be limited to clients unable to directly utilize the HTTP Basic authentication scheme (or other password-based HTTP authentication schemes).
The authorization server MAY support including the client credentials in the request-body using the following parameters:
The parameters can only be transmitted in the request-body and MUST NOT be included in the request URI.
For example, a request to refresh an access token using the body parameters (with extra line breaks for display purposes only):
POST /token HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA&client_id=s6BhdRkqt3&client_secret=7Fjfp0ZBr1KtDRbnfVdmIw
Any suitable HTTP authentication that the the authorization server support can also be used.