oauth2.dev

token_endpoint_auth_method

IESG

Registry Context

Client metadata string indicating the authentication method requested for the token endpoint. RFC 7591 defines `none`, `client_secret_post`, and `client_secret_basic`, allows registered extension values and absolute URI values, and specifies `client_secret_basic` as the default when the field is omitted or unspecified.

Technical Summary

`token_endpoint_auth_method` is an OAuth 2.0 Dynamic Client Registration metadata string used as input to registration requests and output in registration responses. RFC 7591 defines `none`, `client_secret_post`, and `client_secret_basic`. Additional values can be registered in the OAuth Token Endpoint Authentication Methods registry, while absolute URI values can be used without registration.

When Used

In dynamic client registration requests to indicate the requested token endpoint authentication method and in registration responses as returned client metadata.

Normative Requirements

Authorization servers

MUST
1

  1. RFC 7591 - Section 2

    Give the software statement claim value precedence over the directly supplied registration-request value for `token_endpoint_auth_method`..

    Condition: When the metadata name appears in both locations and the authorization server trusts the software statement.

    If the same client metadata name is present in both locations and the software statement is trusted by the authorization server, the value of a claim in the software statement MUST take precedence.

Implementations

OPTIONAL
1

  1. RFC 7591 - Section 2

    Implement and use the `token_endpoint_auth_method` client metadata field..

    The implementation and use of all client metadata fields is OPTIONAL, unless stated otherwise.

Validation Guidance

error

Verify that `token_endpoint_auth_method`, when present, is a JSON string.

info

Recognize the values `none`, `client_secret_post`, and `client_secret_basic`; extension values may be registered method names or absolute URIs.

info

When the field is omitted or unspecified, treat `client_secret_basic` as the specified default.

Reference

RFC7591

Details

Entry Id
token_endpoint_auth_method
Client Metadata Name
token_endpoint_auth_method
Client Metadata Description
Requested authentication method for the token endpoint
Change Controller
IESG
Reference
RFC7591