oauth2.dev

none

IESG

Registry Context

The `none` token endpoint authentication method identifies a public client that has no client secret and does not authenticate at the token endpoint.

Technical Summary

RFC 7591 defines `none` as a `token_endpoint_auth_method` value for a public client, as defined by RFC 6749, that has no client secret. Registered authentication method names are case-sensitive.

When Used

Use `none` when registering a public client that will not authenticate at the token endpoint.

Normative Requirements

Authorization servers

MUST NOT
1
  1. RFC 6749 - Section 2.3

    rely on public client authentication to identify the client.

    Condition: when a client is public

    The authorization server MUST NOT rely on public client authentication for the purpose of identifying the client.

Implementations

OPTIONAL
1
  1. RFC 7591 - Section 2

    implement and use the token_endpoint_auth_method client metadata field.

    Condition: unless another provision states otherwise

    The implementation and use of all client metadata fields is OPTIONAL, unless stated otherwise.

registration authorities

SHOULD NOT
1
  1. RFC 7591 - Section 4.2.1

    accept a requested authentication method name that matches another registered name case-insensitively.

    Condition: when registering a token endpoint authentication method name

    Names that match other registered names in a case-insensitive manner SHOULD NOT be accepted.

Validation Guidance

info

Do not require support for the `token_endpoint_auth_method` metadata field solely because `none` is registered.

warning

When registering a new authentication method name, reject or flag a case-insensitive collision with an existing registered name.

error

Do not treat a public client's identifier or other non-secret value as authenticated client identity.

Security Notes

RFC 6749 - Section 2.3

Public clients cannot securely authenticate by maintaining confidential client credentials; an authorization server must not rely on such authentication to establish client identity.

Reference

Details

Entry Id
none
Token Endpoint Authentication Method Name
none
Change Controller
IESG
Reference
RFC7591