| ClientSecretAuthenticator | Serves as a base class for client authentication, utilizing client ID and secret. It validates clients against a known list of clients, ensuring that the client secret provided during the authentication process matches the stored secret for the client. This class supports various hash algorithms for secure secret comparison and handles client secret expiration. |
| ClientSecretBasicAuthenticator | Implements an authentication of a client request by HTTP 'Authorization' header using the 'Basic' scheme. This authentication method follows the standards outlined in RFC 7617. |
| ClientSecretJwtAuthenticator | Authenticates client requests using the client_secret_jwt authentication method. This method is used in scenarios where the client signs a JWT with its secret as a means of authentication. |
| ClientSecretPostAuthenticator | Implements an authentication of a client request by extracting client credentials (client_id and client_secret) from the request body. This approach is typically used in OAuth 2.0 client credential flows where the client submits its credentials as part of the request body. |
| JwtAssertionAuthenticatorBase | Base class for JWT assertion-based client authenticators, providing common validation logic for both private_key_jwt and client_secret_jwt authentication methods. |
| NoneClientAuthenticator | Authenticates clients that are configured as public, without requiring client secrets. |
| PrivateKeyJwtAuthenticator | Authenticates clients using the Private Key JWT method, verifying the client's identity through a signed JWT that the client provides. This method is suitable for clients that can securely store and use private keys. |
| TlsClientAuthenticator | Implements RFC 8705 self-signed TLS client authentication (self_signed_tls_client_auth). Validates the presented client certificate by matching its public key against the client's registered JWKS (jwks or jwks_uri). If matched and the client's configured token endpoint auth method is self_signed_tls_client_auth, the client is authenticated. |
| TlsMetadataClientAuthenticator | RFC 8705 tls_client_auth authenticator. Matches presented client certificate against client metadata: subject DN and/or Subject Alternative Name entries. |