Skip to main content
Version: v2.0 (latest)

Token Binding and Client Authentication

OIDC Web supports the full range of modern client-authentication and token-binding mechanisms. You can match your security posture to the sensitivity of the integration.

Sender-constrained access tokens bind a token to its rightful holder, so a leaked or intercepted token is useless to an attacker:

  • DPoP (RFC 9449). Each call carries a fresh proof JWT signed by your client key and bound to the request and the token.
  • mTLS-bound tokens (RFC 8705). The access token is bound to your client's TLS certificate.

OIDC Web accepts these client-authentication methods at the token endpoint:

MethodUse
private_key_jwt (RFC 7523)Asymmetric, no shared secret to leak. Recommended for confidential clients.
tls_client_auth (mTLS, RFC 8705)Mutual-TLS client authentication.
client_secret_basic / client_secret_postShared-secret authentication, for simpler confidential clients.
nonePublic clients (SPAs, native apps) that rely on PKCE.

For the implementation, see Client Authentication and Sender-Constrained Tokens in the User Guide.