RFC 6749 Section 2.3: OAuth 2.0 Client Authentication

rfc-editor.org/rfc/rfc6749#section-2.3

Confidential clients authenticate when making requests to the OAuth authorization server.

The core OAuth 2.0 specification defines the "client password" (e.g. client secret) client authentication type, which defines the client_secret parameter as well as the method of including the client secret in the HTTP Authorization header.

These are most common forms of client authentication.

• Client Secret (RFC 6749 Section 2.3.1)
• Mutual TLS (RFC 8705)
• Private Key JWT (RFC 7521, RFC 7523, OpenID)

Note: PKCE is not a form of client authentication, and is not an alternative to client authentication. Applications using client authentication should also use PKCE.

More resources

• Client Credentials (oauth.com)
• Client Authentication Methods (developer.okta.com)