In certain situations, clients need to authenticate with identityserver, e.g.
- confidential applications (aka clients) requesting tokens at the token endpoint
- APIs (aka resource scopes) validating reference tokens at the introspection endpoint
For that purpose you can assign a list of secrets to a
Client or a
Secret parsing and validation is an extensibility point in identityserver, out of the box it supports shared secrets (stored hashed or plaintext - but defaults to hashed) as well as transmitting the shared secret via a basic authentication header or the POST body.