RFC 6749 Section 2.3: OAuth 2.0 Client Authentication

rfc-editor.org/rfc/rfc6749#section-2.3

Confidential clients authenticate when making requests to the OAuth authorization server.

The core OAuth 2.0 specification defines the "client password" client authentication type, which defines the client_secret parameter as well as the method of including the client password in the HTTP Authorization header.

There are additional forms of client authentication defined in extensions.

• Mutual TLS (RFC 8705)
• Private Key JWT (RFC 7521, RFC 7521, OpenID)

Note: PKCE is not a form of client authentication, and is not an alternative to client authentication. Applications using client authentication should also use PKCE.

More resources

• Client Credentials (oauth.com)
• Client Authentication Methods (developer.okta.com)