Client Secret
This table describes when the client_secret is required.
In each of the endpoint's documentation, it describes when and how to use the client_secret in the request body or the Authorization header using HTTP Basic Auth.
Even when the client secret is not required, if it is provided it will be validated.
Previous to version 1.28.0, whether the client secret was required was controlled by the oauthConfiguration.requireClientAuthentication value of the application object.
In that case, a value of true is equivalent to a clientAuthenticationPolicy of Required and a value of false is equivalent to a clientAuthenticationPolicy of NotRequired.
For versions 1.28.0 or later, use oauthConfiguration.clientAuthenticationPolicy to configure this functionality.
When Is the Client Secret Required
| Grant | clientAuthenticationPolicy value | PKCE Used | Client Secret Required |
|---|---|---|---|
| Authorization Code Grant | Required | - | Yes |
| Authorization Code Grant | NotRequired | - | No |
| Authorization Code Grant | NotRequiredWhenUsingPKCE | Yes | No |
| Authorization Code Grant | NotRequiredWhenUsingPKCE | No | Yes |
| Implicit Grant | N/A | - | - |
| Password Credentials Grant | Required | - | Yes |
| Password Credentials Grant | NotRequired | - | No |
| Refresh Token Grant | Required | - | Yes |
| Refresh Token Grant | NotRequired | - | No |