I did some research on Client Authentication methods and found this on the OAuth 2.0 RFC(6749) https://tools.ietf.org/html/rfc6749#section-2.1
A client may be implemented as a distributed set of components, each
with a different client type and security context (e.g., a
distributed client with both a confidential server-based component
and a public browser-based component). If the authorization server
does not provide support for such clients or does not provide
guidance with regard to their registration, the client SHOULD
register each component as a separate client.
Is it right to assume that the authorization server (ORY Hydra) does not provide support for such clients?
Would love to hear why the developers chose to do so in that case.
We have a use case where the client uses client_credentials auth method from the server side (for which
token_endpoint_auth_method should be
client_secret_post) and authorization code with pkce from the SPA (which requires
token_endpoint_auth_method to be
But I can only set the value of
token_endpoint_auth_method to one of
As an addendum, there are OAuth2.0 servers which support multiple authentication methods for a client. See Authlib where we can set – this does’t seem to be right!
TOKEN_ENDPOINT_AUTH_METHODS = ['client_secret_basic', 'client_secret_post', 'none'].