Skip to content

feat: add client credentials as a MUST #245

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
elf-pavlik merged 13 commits into from
Mar 11, 2026
Merged

feat: add client credentials as a MUST #245

Changes from 6 commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
2d67a84
feat: add client credentials as a MUST
jeswr Feb 15, 2026
f2fb705
fix: Use `Access` token rather than `OIDC ID` token
jeswr Feb 17, 2026
6a5e05b
fix: Refer to `Authorization Server` over `OpenID Providers`
jeswr Feb 17, 2026
45ac134
Merge branch 'main' into feat/client-credentials-grant
langsamu Mar 4, 2026
fd21bf6
Merge branch 'refs/heads/main' into feat/client-credentials-grant
langsamu Mar 6, 2026
840ccef
Extract changes to separate section
langsamu Mar 6, 2026
3b8d430
Update index.bs
langsamu Mar 6, 2026
0458856
Add reference to refresh token flow
langsamu Mar 6, 2026
69ea20f
Make Client Credentials authentication example non-normative and add …
langsamu Mar 9, 2026
50e297d
Generalize client authentication validation in Client Credentials grant
langsamu Mar 9, 2026
176406f
Clarify WebID binding requirement for Client Credentials Grant
langsamu Mar 9, 2026
9ea7a00
Update index.bs
langsamu Mar 9, 2026
cb232b3
Update index.bs
langsamu Mar 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 36 additions & 0 deletions index.bs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -438,6 +438,42 @@ Discovery 1.0 [[!OIDC-DISCOVERY]] resource by including `webid` in its `scopes_s
</pre>
</div>

# Client Credentials Grant # {#client-credentials}

NOTE: This sections borrows concepts from OAuth 2.0 [[!RFC6749]], while the rest of Solid-OIDC builds on top of OpenID
Connect Core 1.0 [[!OIDC-CORE]]. The section is likely to be extracted into a separate specification in the future.

Authorization Servers MUST support the OAuth 2.0 Client Credentials Grant [[!RFC6749]] (Section 4.4) to enable
non-interactive authentication for scripts, automated agents, and server-to-server communication.

NOTE: Scripts and bots can also use Solid-OIDC without Client Credentials via the refresh token flow, when supported by
Copy link
Copy Markdown
Member Author

@jeswr jeswr Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a reference we can provide for the refresh token flow?

Copy link
Copy Markdown
Contributor

@langsamu langsamu Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

0458856

the server.

When using the Client Credentials Grant, the Client authenticates with the OP using a `client_id` and `client_secret`
pair previously obtained through client registration (either static or dynamic). The Client sends a token request to
Copy link
Copy Markdown
Member

@acoburn acoburn Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am ok with adding a requirement for the client_credentials grant type, and it is important to note the this grant flow requires authentication. However, client_id/client_secret is only one type of authentication that could be used in this flow, and it is (arguably) not the most secure. I would be much happier if the requirements here are limited to:

  • The client_credential grant type MUST be included in the grant_types_supported array of the .well-known/openid-configuration resource

RFC6749 section 4.4.2 and section 3.2.1 already include requirements for authentication, so there is no need to normatively reiterate that here. It is fine to use client_id/client_secret pairs as non-normative examples, but I would not require that as the lone authentication mechanism. RFC7523 presents another way to handle authentication using JWTs, and other mechanisms will emerge over time.

Copy link
Copy Markdown
Contributor

@langsamu langsamu Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

69ea20f makes example non-normative and notes RFC7523.

the OP's token endpoint with `grant_type=client_credentials` and the `webid` scope.

## Token Instantiation ## {#client-credentials-token-instantiation}

During Token Instantiation [[#tokens]], if the [Client Credentials
Grant](https://www.rfc-editor.org/rfc/rfc6749#section-4.4) is used, the OP MUST validate the `client_id` and
`client_secret`. If valid, the OP MUST return A DPoP-bound OIDC ID Token.
Comment thread
langsamu marked this conversation as resolved.
Outdated

## Solid-OIDC Conformance Discovery ## {#client-credentials-discovery}

For non-interactive use cases such as scripts, automated agents, and server-to-server communication, this specification
also requires that an OpenID Provider that conforms to the Solid-OIDC specification MUST advertise its support for the
[Client Credentials Grant](https://www.rfc-editor.org/rfc/rfc6749#section-4.4) in the OpenID Connect Discovery 1.0
[OIDC.Discovery] resource by including `client_credentials` in its `grant_types_supported` metadata property.

<div class="example">
<pre highlight="json">
{
"grant_types_supported": ["authorization_code", "refresh_token", "client_credentials"]
}
</pre>
</div>

# Security Considerations # {#security}

*This section is non-normative*
Expand Down