OpenID Connect Dynamic Client Registration Guide on OpenID Connect Dynamic Registration Guide

Token Endpoint Auth Methods

Mon, 01 Jan 0001 00:00:00 +0000

Token Endpoint Authentication Methods

The token_endpoint_auth_method attribute specifies how the client authenticates when requesting tokens from the token endpoint.

Standard Methods

`client_secret_basic`

Most common method for confidential clients

Client authenticates using HTTP Basic Authentication
client_id and client_secret are sent in the Authorization header
Format: Authorization: Basic base64(client_id:client_secret)
Widely supported and straightforward to implement

Example:

POST /token HTTP/1.1
Host: authorization-server.com
Authorization: Basic czZCaGRSa3F0Mzo3RmpmcDBaQnIxS3REUmJuZlZkbUl3
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA

`client_secret_post`

Client credentials in POST body

client_id and client_secret sent as form parameters in request body
Less secure than Basic Auth since credentials appear in request body
May be logged more easily by proxies and web servers
Use only when Basic Auth is not supported

Example:

Response Types

Mon, 01 Jan 0001 00:00:00 +0000

OAuth 2.0 Response Types

The response_types attribute specifies what the authorization endpoint returns in the authorization response after user authentication and consent.

OAuth 2.0 Response Types

`code`

Authorization Code Flow (recommended)

Returns authorization code in redirect URI query parameters
Code must be exchanged for tokens at token endpoint
Most secure - tokens never exposed to browser
Supports refresh tokens
Works with PKCE for public clients

Authorization Response:

HTTP/1.1 302 Found
Location: https://client.example.com/callback?code=SplxlOBeZQQYbYS6WxSbIA&state=xyz

Pairs with grant type: authorization_code

Mon, 01 Jan 0001 00:00:00 +0000

OAuth 2.0 Grant Types

The grant_types attribute specifies which OAuth 2.0 flows (authorization grants) the client is permitted to use.

Standard Grant Types (RFC 6749)

`authorization_code`

The most common and secure flow

User redirected to authorization server for authentication and consent
Authorization server returns authorization code to client’s redirect URI
Client exchanges code for tokens at token endpoint
Supports refresh tokens
Tokens never exposed to browser
Works with PKCE for public clients

sequenceDiagram
participant User
participant Client
participant AuthServer as Authorization Server
participant API as Resource Server
User->>Client: 1. Click "Login"
Client->>AuthServer: 2. Redirect to /authorize
Note over AuthServer: response_type=code
User->>AuthServer: 3. Authenticate & consent
AuthServer->>Client: 4. Redirect with code
Note over Client: https://app.com/callback?code=ABC123
Client->>AuthServer: 5. POST /token (exchange code)
Note over Client,AuthServer: Code + client credentials
AuthServer->>Client: 6. Return tokens
Note over Client: access_token, refresh_token, id_token
Client->>API: 7. Call API with access_token
Note over Client,API: Authorization: Bearer {token}
API->>Client: 8. Protected resource

Flow: