Client authentication considerations at the OAuth 2.0 token endpoint

Edit online

The OAuth 2.0 token endpoint is used for direct communications between an OAuth client and the authorization server. The token endpoint is used to obtain an OAuth token.

The client type, whether public or confidential, determines the authentication requirements of the OAuth 2.0 token endpoint. The Advanced Access Control runtime is responsible for authenticating the client by using the client_id and client_secret in sending the request.

OAuth 2.0 workflows for confidential clients that require client authentication at the token endpoint, can be configured in one of the following ways:

  1. The Advanced Access Control point of contact requires authentication at the token endpoint:
    • The point of contact is responsible for authenticating the client.
    • The Confidential check box from the client instance panel is not relevant. A client_secret parameter must not be sent in the token endpoint request.
    • If a client_id parameter is sent in the request, it must match the identity of the client that is authenticated by the point of contact.
  2. The Advanced Access Control point of contact permits unauthenticated access to the token endpoint:
    • The client_id parameter in the token endpoint request is used to identify the client.
    • The Confidential check box from the client instance panel determines whether a client_secret parameter is required in the token endpoint request. A client secret is required for confidential clients only.
  3. Basic Authentication can be performed by the runtime instead of by the point of contact server.
Note: When enforcing client authentication at the token endpoint, the point of contact must contain the client ID and client secret within its user registry. The point of contact must be able to map the authenticated user credential to the client_id parameter sent in the OAuth 2.0 token endpoint request.

Based on this information, the following configurations are supported:

Table 1. Configurations supported
Client types Configurations WebSEAL point of contact token endpoint URI considerations Check box setting for the Confidential parameter
Confidential clients The point of contact performs client authentication.
  • Authenticated ACL on token endpoint is required.
  • Token endpoint port must match WebSEAL port.
 N/A
Confidential clients Basic Authentication is performed by the runtime. The point of contact configuration does not need to make any change to the Authorization header. N/A
Confidential clients The client_id and client_secret parameters in the token endpoint request are used to perform client authentication.
  • Unauthenticated ACL on token endpoint is required.
  • Token endpoint port must match WebSEAL port.
 Must be cleared.
Public clients The client_id parameter is used to perform client validation.
  • Unauthenticated ACL on token endpoint is required.
  • Token endpoint port must match the WebSEAL port.
 Must be selected.