client_ secret
Registry Context
client_secret is an optional OAuth 2.0 client information response parameter issued for a confidential client. If issued, it must be unique for each client_id, should be unique among multiple client instances sharing a client_id, and requires client_secret_expires_at in the response.
Technical Summary
RFC 7591 defines client_secret as an OPTIONAL OAuth 2.0 client secret string in the client information response. If issued, it MUST be unique for each client_id and SHOULD be unique for multiple client instances using the same client_id. The client_secret_expires_at response parameter is REQUIRED when client_secret is issued.
When Used
Used by confidential clients to authenticate to the token endpoint.
Normative Requirements
Authorization servers
RFC 7591 - Section 3.2.1
ensure the issued client_secret is unique for each client_id.
Condition: if client_secret is issued
If issued, this MUST be unique for each "client_id"
RFC 7591 - Section 3.2.1
include client_secret_expires_at in the client information response.
Condition: if client_secret is issued
client_secret_expires_at REQUIRED if "client_secret" is issued.
RFC 7591 - Section 3.2.1
ensure the issued client_secret is unique for multiple client instances using the same client_id.
Condition: if client_secret is issued
SHOULD be unique for multiple instances of a client using the same "client_id"
RFC 7591 - Section 3.2.1
include client_secret in the client information response.
Condition: when returning client information for a confidential client
client_secret OPTIONAL.
Validation Guidance
If client_secret is present, verify that client_secret_expires_at is also present.
Verify that an issued client_secret is not used with a different client_id.
For multiple client instances sharing a client_id, verify that distinct client_secret values are used where practicable.
Security Notes
RFC 7591 - Section 3.2.1
Confidential clients use client_secret to authenticate to the token endpoint.
Reference
Details
- Entry Id
client_secret - Client Metadata Name
client_secret - Client Metadata Description
Client secret- Change Controller
IESG- Reference
RFC7591