--- title: OIDC client authentication description: OIDC clients use the authentication methods described in Client application authentication. component: pingoneaic page_id: pingoneaic:am-oidc1:oidc-client-auth canonical_url: https://docs.pingidentity.com/pingoneaic/am-oidc1/oidc-client-auth.html keywords: ["OpenID Connect (OIDC)", "Standards", "Setup & Configuration", "Integration"] page_aliases: ["oidc1-guide:oidc-client-auth.adoc"] --- # OIDC client authentication OIDC clients use the authentication methods described in [Client application authentication](../am-oauth2/oauth2-client-auth.html). OIDC clients must set the authentication method in their profile. In the Advanced Identity Cloud admin console, go to Applications > *Client ID* > Sign On > General Settings > Show advanced settings > Authentication and select the method in the Token Endpoint Authentication Method drop-down list: | Method | Description | | ------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `client_secret_basic` (default) | The client sends its credentials in an HTTP Basic `Authorization` header. | | `client_secret_post` | The client sends its credentials as `client_id` and `client_secret` form parameters.When a client authenticates with form parameters, the server can store POST data on the user-agent in an `OAUTH_REQUEST_ATTRIBUTES` cookie. Advanced Identity Cloud uses the cookie to continue the authentication process across redirects. It marks the cookie for deletion on the next successful OAuth 2.0 authorization. | | `none` | The client is public and does not authenticate.Public clients do not authenticate even if the authentication method is different from `none`. | | `private_key_jwt` | The client sends its credentials as a JSON Web Token (JWT). | | `self_signed_tls_client_auth` | The client uses a self-signed certificate for mutual TLS authentication. | | `tls_client_auth` | The client uses a CA-signed certificate for mutual TLS authentication. |