...
For any call to the token endpoint, including this, the client must provide its credentials as Basic HTTP authentication with client ID as user name and client secret as password. The authentication must be provided in the Authorization header for a confidential client.
| Note | ||
|---|---|---|
| ||
| Note: the specification allows, but discourages, providing the information as parameters in the request body instead (client_id and client_secret), but |
...
| Keycloack does not allow this for confidential clients. And since a public client is not expected to use this endpoint and this flow, this is not relevant for practical purposes. |
Before building the header for Basic authentication, client IDs and client secrets containing special characters including %, +, and all non-ASCII characters must be encoded using the UTF-8 character encoding scheme first; the resulting octet sequence then needs to be further application/x-www-form-urlencoded (see section 2.3.1 of the specification). To build the header, the encoded credentials are separated by a colon, the resulting string is base 64 encoded, and the result is prefixed with "Basic ".
...