oauth2.dev

client_secret

IESG

Registry Context

client_secret is an optional OAuth 2.0 client information response parameter issued for a confidential client. If issued, it must be unique for each client_id, should be unique among multiple client instances sharing a client_id, and requires client_secret_expires_at in the response.

Technical Summary

RFC 7591 defines client_secret as an OPTIONAL OAuth 2.0 client secret string in the client information response. If issued, it MUST be unique for each client_id and SHOULD be unique for multiple client instances using the same client_id. The client_secret_expires_at response parameter is REQUIRED when client_secret is issued.

When Used

Used by confidential clients to authenticate to the token endpoint.

Normative Requirements

Authorization servers

MUST
1
  1. RFC 7591 - Section 3.2.1

    ensure the issued client_secret is unique for each client_id.

    Condition: if client_secret is issued

    If issued, this MUST be unique for each "client_id"

REQUIRED
1
  1. RFC 7591 - Section 3.2.1

    include client_secret_expires_at in the client information response.

    Condition: if client_secret is issued

    client_secret_expires_at REQUIRED if "client_secret" is issued.

SHOULD
1
  1. RFC 7591 - Section 3.2.1

    ensure the issued client_secret is unique for multiple client instances using the same client_id.

    Condition: if client_secret is issued

    SHOULD be unique for multiple instances of a client using the same "client_id"

OPTIONAL
1
  1. RFC 7591 - Section 3.2.1

    include client_secret in the client information response.

    Condition: when returning client information for a confidential client

    client_secret OPTIONAL.

Validation Guidance

error

If client_secret is present, verify that client_secret_expires_at is also present.

error

Verify that an issued client_secret is not used with a different client_id.

warning

For multiple client instances sharing a client_id, verify that distinct client_secret values are used where practicable.

Security Notes

RFC 7591 - Section 3.2.1

Confidential clients use client_secret to authenticate to the token endpoint.

Reference

Details

Entry Id
client_secret
Client Metadata Name
client_secret
Client Metadata Description
Client secret
Change Controller
IESG
Reference
RFC7591