PingAM 7.5.0

OIDC client authentication

OIDC clients use the authentication methods described in OAuth 2.0 client authentication.

OIDC clients must set the authentication method in their profile. In the AM admin UI, go to Realms > Realm Name > Applications > OAuth 2.0 > Advanced and select the method in the Token Endpoint Authentication Method drop-down list:

Method Description

client_secret_basic (default)

The client sends its credentials in an HTTP Basic Authorization header.

client_secret_post

The client sends its credentials as client_id and client_secret form parameters.

When a client authenticates with form parameters, the server can store POST data on the user-agent in an OAUTH_REQUEST_ATTRIBUTES cookie. AM uses the cookie to continue the authentication process across redirects. It marks the cookie for deletion on the next successful OAuth 2.0 authorization.

none

The client is public and does not authenticate.

Public clients do not authenticate even if the authentication method is different from none.

private_key_jwt

The client sends its credentials as a JSON Web Token (JWT).

self_signed_tls_client_auth

The client uses a self-signed certificate for mutual TLS authentication.

tls_client_auth

The client uses a CA-signed certificate for mutual TLS authentication.