I did some research on Client Authentication methods and found this on the OAuth 2.0 RFC(6749) https://tools.ietf.org/html/rfc6749#section-2.1
A client may be implemented as a distributed set of components, each
with a different client type and security context (e.g., a
distributed client with both a confidential server-based component
and a public browser-based component). If the authorization server
does not provide support for such clients or does not provide
guidance with regard to their registration, the client SHOULD
register each component as a separate client.
Is it right to assume that the authorization server (ORY Hydra) does not provide support for such clients?
Would love to hear why the developers chose to do so in that case.
We have a use case where the client uses client_credentials auth method from the server side (for which token_endpoint_auth_method should be client_secret_post) and authorization code with pkce from the SPA (which requires token_endpoint_auth_method to be none).
But I can only set the value of token_endpoint_auth_method to one of client_secret_post, client_secret_basic and none.
As an addendum, there are OAuth2.0 servers which support multiple authentication methods for a client. See Authlib where we can set – this does’t seem to be right!TOKEN_ENDPOINT_AUTH_METHODS = ['client_secret_basic', 'client_secret_post', 'none'].