Token Binding and Client Authentication
OIDC Web supports the full range of modern client-authentication and token-binding mechanisms. You can match your security posture to the sensitivity of the integration.
Sender-constrained access tokens bind a token to its rightful holder, so a leaked or intercepted token is useless to an attacker:
- DPoP (RFC 9449). Each call carries a fresh proof JWT signed by your client key and bound to the request and the token.
- mTLS-bound tokens (RFC 8705). The access token is bound to your client's TLS certificate.
OIDC Web accepts these client-authentication methods at the token endpoint:
| Method | Use |
|---|---|
private_key_jwt (RFC 7523) | Asymmetric, no shared secret to leak. Recommended for confidential clients. |
tls_client_auth (mTLS, RFC 8705) | Mutual-TLS client authentication. |
client_secret_basic / client_secret_post | Shared-secret authentication, for simpler confidential clients. |
none | Public clients (SPAs, native apps) that rely on PKCE. |
For the implementation, see Client Authentication and Sender-Constrained Tokens in the User Guide.