Stream: implementers
Topic: Dynamic Client Registration- token_endpoint_auth_method
Alex Okonechnikov (Feb 10 2021 at 14:51):
Hi all,
We have a question tangentially related to the fhir spec, in the OIDC Registration 1.0 spec.
The token_endpoint_auth_method property specifies the method used by a client trying to receive an access token.
Is that the only valid method for that client, once set, or is it just a suggestion?
For example, if a client registered with 'client_secret_post' tried to use the 'client_secret_jwt' method, would that be valid, or should the server reject it?
Thank you very much!
Josh Mandel (Feb 10 2021 at 17:29):
The concept in https://tools.ietf.org/html/rfc7591 is that at registration time, you establish how your client will authenticate (including method + key materials). So in your example, if you registered for client_secret_post but then wanted to use a different method, how would the server know the secrets/keys to use for authenticating you?
Last updated: Apr 12 2022 at 19:14 UTC
