oauth2.dev

client_secret

IETF

Registry Context

`client_secret` is a client password used to authenticate a client. Clients can use it through HTTP Basic authentication, or an authorization server may accept it in the request body. The body method is not recommended, and credentials must not appear in the request URI.

Technical Summary

RFC 6749 Section 2.3.1 requires authorization servers to support HTTP Basic authentication for clients issued a client password. An authorization server may alternatively accept `client_id` and `client_secret` in the request body. In that mode, `client_secret` is REQUIRED unless the secret is an empty string, and the credentials MUST NOT appear in the request URI. Password authentication requires TLS and brute-force protection. RFC 9700 recommends asymmetric client authentication instead of symmetric secrets.

When Used

Primarily when a client issued credentials authenticates to the token endpoint.

Normative Requirements

Clients

MUST NOT
1
  1. RFC 6749 - Section 2.3.1

    include request-body client credential parameters in the request URI.

    Condition: when transmitting client credentials

    MUST NOT be included in the request URI.

MUST
1
  1. RFC 6749 - Section 3.2.1

    authenticate with the authorization server as described in Section 2.3.

    Condition: when the client is confidential or was otherwise issued client credentials and makes a token endpoint request

    Confidential clients or other clients issued client credentials MUST authenticate with the authorization server

REQUIRED
1
  1. RFC 6749 - Section 2.3.1

    include `client_secret` as a request-body parameter.

    Condition: when using request-body client credentials and the client secret is not an empty string

    client_secret REQUIRED. The client secret.

MAY
2
  1. RFC 6749 - Section 2.3.1

    use HTTP Basic authentication with its client password.

    Condition: when the client possesses a client password

    Clients in possession of a client password MAY use the HTTP Basic authentication scheme

  2. RFC 6749 - Section 2.3.1

    omit the `client_secret` parameter.

    Condition: if the client secret is an empty string

    The client MAY omit the parameter if the client secret is an empty string.

Authorization servers

MUST
3
  1. RFC 6749 - Section 2.3.1

    support HTTP Basic authentication.

    Condition: for authenticating clients that were issued a client password

    The authorization server MUST support the HTTP Basic authentication scheme

  2. RFC 6749 - Section 2.3.1

    require TLS.

    Condition: when requests use password authentication

    The authorization server MUST require the use of TLS

  3. RFC 6749 - Section 2.3.1

    protect every endpoint using client password authentication against brute-force attacks.

    the authorization server MUST protect any endpoint utilizing it against brute force attacks.

SHOULD
2
  1. RFC 6749 - Section 2.3.1

    limit request-body client credentials to clients unable to use HTTP Basic or another password-based HTTP authentication scheme.

    Condition: when supporting request-body client credentials

    SHOULD be limited to clients unable to directly utilize the HTTP Basic authentication scheme

  2. RFC 9700 - Section 2.5

    enforce client authentication.

    Condition: if the deployment can establish credential issuance or registration and ensure credential confidentiality

    Authorization servers SHOULD enforce client authentication if it is feasible

MAY
1
  1. RFC 6749 - Section 2.3.1

    support including client credentials in the request body using `client_id` and `client_secret`.

    the authorization server MAY support including the client credentials in the request-body

Unspecified actor

RECOMMENDED
1
  1. RFC 9700 - Section 2.5

    use asymmetric cryptography for client authentication.

    It is RECOMMENDED to use asymmetric cryptography for client authentication

Validation Guidance

error

Require clients issued credentials to authenticate when making token endpoint requests.

error

Ensure HTTP Basic authentication is supported for clients issued a client password.

error

When request-body authentication is used, require `client_secret` unless the registered secret is an empty string.

error

Reject client credentials included in the request URI.

warning

Limit request-body credentials to clients unable to use HTTP Basic or another password-based HTTP authentication scheme.

error

Enforce TLS for password-based client authentication.

error

Protect every endpoint accepting client password authentication against brute-force attacks.

warning

Prefer asymmetric client authentication methods where supported.

Security Notes

RFC 6749 - Section 2.3.1

Password-based client authentication requires TLS and brute-force protection.

RFC 6749 - Section 2.3.1

Request-body client credentials are not recommended by RFC 6749 and must never be placed in the request URI.

RFC 9700 - Section 2.5

RFC 9700 recommends asymmetric client authentication, such as mutual TLS or signed JWTs, because it avoids storing sensitive symmetric client secrets.

Reference

Details

Entry Id
client_secret
Name
client_secret
Parameter Usage Location
token request
Change Controller
IETF
Reference
RFC6749