rfc-editor.org/rfc/rfc6749#section-2.3
Confidential clients authenticate when making requests to the OAuth authorization server.
The core OAuth 2.0 specification defines the "client password" client authentication type, which defines the client_secret
parameter as well as the method of including the client password in the HTTP Authorization
header.
There are additional forms of client authentication defined in extensions.
More resources