Skip to content

SEP-1046: Support OAuth client credentials flow in authorization #1046

New issue
New issue
Closed
Closed
SEP-1046: Support OAuth client credentials flow in authorization#1046
Assignees
localden
Labels
SEPacceptedSEP accepted by core maintainers, but still requires final wording and reference implementation.authawaiting-sdk-changeextensionfinalSEP finalized.security
@D-McAdams

Description

@D-McAdams
D-McAdams
opened on Jul 24, 2025

Preamble

Title: Support OAuth client credentials flow in authorization
Author: Darin McAdams (@D-McAdams )
Status: Proposal
Type: Standards Track
Created: 2025-07-23

Abstract

Recommends adding the OAuth client credentials flow to the authorization spec to enable machine-to-machine scenarios.

Motivation

The original authorization spec mentioned the client credentials flow, but it was dropped in subsequent revisions. Therefore, the spec is currently silent on how to solve machine-to-machine scenarios where an end-user is unavailable for interactive authorization.

Specification

The authorization spec would be amended to list the OAuth client credentials flow as being allowed. Adhering to the patterns established by OAuth 2.1, the specification would RECOMMEND the use of asymmetric methods defined in RFC 753 (JWT Assertions), but also allow client secrets.

As guidance to implementors, the spec overview would also be updated to describe the different flows and when each is applicable. In addition, to address a common question, the spec would be updated to indicate that implementors may implement other authorization scenarios beyond what's defined; emphasizing that the specification defines the baseline requirements.

Rationale

To maximize interoperability (and minimize SDK complexity), this change would intentionally constrain the client credentials flow to two options:

  1. JWT Assertions as per RFC 7523 (RECOMMENDED)
  2. Client Secrets via HTTP Basic authentication (Allowed for maximum compatibility with existing systems)

Other options, such as mTLS, are not included.

While the spec encourages the use of RFC 7523 (JWT Assertions), it does not yet specify how to populate the JWT contents nor how to discover the client's JWKS URI to validate the JWT. In future iterations of the spec, it will be beneficial to do so. However, this was currently left unspecified pending maturity of other RFCs that can define these profiles. The other RFCs include WIMSE Headless JWT Authentication (for specifying JWT contents) and Client ID Metadata (for specifying the JWKS URI). This revision intentionally leaves extensibility for these future profiles. As a practical matter, this means implementers needing to ship solutions ASAP will most likely use client secrets which are widely supported today, whereas the JWT Assertion pattern represents the longer-term direction.

Backward Compatibility

This change is fully backward compatible. It introduces a new authorization flow, but does not alter the existing flows.

Security Implications

The specification refers to the existing OAuth security guidance.

Metadata

Metadata

Assignees

Labels

SEPacceptedSEP accepted by core maintainers, but still requires final wording and reference implementation.authawaiting-sdk-changeextensionfinalSEP finalized.security

Type

No type

Projects

Draft spec SDKs implementations

Status

Done
SEP Review Pipeline

Status

Accepted
2025-11-25 Implementation

Status

In progress

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions