Skip to main content

Wrong Token Endpoint Auth Method

There are multiple ways of authenticating OAuth 2.0 Clients at the /oauth2/token:

  • HTTP Basic Authorization (client_secret_basic) - the OAuth 2.0 Client ID and secret are sent in the HTTP Header (Authorization: basic ....)
  • HTTP Body (client_secret_post) - the OAuth 2.0 Client ID and secret are sent in the POST body (Content-Type: application/x-www-form-urlencoded)

Both are valid schemes. But the OAuth 2.0 Client has to be configured to allow either of the one. Per default, the OAuth 2.0 Client allows HTTP Basic Authorization only. You can check which method is allowed:

hydra clients get --endpoint http://ory-hydra <the-client-id>
{
// ...
"token_endpoint_auth_method": "client_secret_basic",
// ...
}

As you can see, this client is allowed to authorize using HTTP Basic Authorization. If you try to authorize with the client credentials in the POST body, the authentication process will fail. To allow a client to perform the POST authorization scheme, you must set "token_endpoint_auth_method": "client_secret_post". You can do this in the CLI with the --token-endpoint-auth-method flag.