CLIENT_SECRET_JWT Setup
Authentication requirements for the token endpoint are set by the application’s tokenEndpointAuthMethod property. When the application’s tokenEndpointAuthMethod is set to CLIENT_SECRET_JWT, the token endpoint uses a JWT signed by the application’s client secret to authenticate the request. For information about creating the JWT and the claims in the JWT, refer to Create a client secret JWT. Token requests that use this authentication method require the client_assertion and client_assertion_type OAuth properties to specify the JWT.
Key points
-
JWT signed with
HMAC-SHA256using client secret -
Includes claims:
iss,sub(both identify theclient_id),aud(token endpoint),exp -
Provides non-repudiation and tamper detection
-
Better for audit trails and compliance requirements
The following workflow shows the application configuration to complete a sign-on flow using the CLIENT_SECRET_JWT client authentication method.
Run in Postman