CLIENT_SECRET_POST Setup
Authentication requirements for the token endpoint are set by the application’s tokenEndpointAuthMethod property. When the application’s tokenEndpointAuthMethod is set to CLIENT_SECRET_POST, the request does not need an Authorization header, and the client_id and client_secret property values are submitted in the request body.
Key points
-
Credentials in POST body:
client_idandclient_secretparameters -
No Authorization header needed
-
Easier for frameworks that don’t handle headers well
-
Still requires secure transport (HTTPS)
The following workflow shows the application configuration to complete a sign-on flow using the CLIENT_SECRET_POST client authentication method.
Run in Postman