PingAM

Authorization header (HTTP Basic)

This is the default authentication method for AM confidential clients.

The OAuth 2.0 client authenticates by sending the credentials in an HTTP Basic authentication (Authorization) header.

The value is client_id:client_secret, first URL encoded, then base64 encoded. For example, myClient:mySecret encodes to bXlDbGllbnQlM0FteVNlY3JldA:

$ curl \
--request POST \
--header "Authorization: Basic bXlDbGllbnQlM0FteVNlY3JldA" \
…​

To confirm this authentication method for a confidential OAuth 2.0 client, check the client profile in the AM admin UI:

  1. Go to Realms > Realm Name > Applications > OAuth 2.0 > Clients > Client ID > Advanced.

  2. Verify the Token Endpoint Authentication Method is client_secret_basic and save your work.

Make sure all connections to AM use HTTPS to protect the secret.

URL encode the client_id and client_secret before base64 encoding the client_id:client_secret value.

For example, a client with ID example.com and secret s=cr%t has characters you must URL encode in the secret:

  • The URL-encoded ID remains example.com.

  • The URL-encoded secret is s%3Dcr%25t.

  • The credentials are example.com:s%3Dcr%25t before base64 encoding.

  • The base64-encoded form is ZXhhbXBsZS5jb206cyUzRGNyJTI1dA==.

  • The final HTTP Basic header is Authorization: Basic ZXhhbXBsZS5jb206cyUzRGNyJTI1dA==