WWW-Authenticate schemes for OpenID Connect

Question

I'm writing my own codes for the OpenID Connect protocol. Basically, I intend to write my own provider and related stuff on Google App Engine's platform using Jersey and Google's datastore via Objectify library.

I'm in the middle of implementing the (access/refresh) token endpoint and there's this client authentication that I need to take care of. I'm just wondering if there are preset authentication schemes' keywords that I could send if in case the client did not have client_secret_basic set during the registration process (or whatever's set in the datastore entry.)

For a failed client authentication with the following methods, the scheme is used as response in the WWW-Authenticate header (401):

• client_secret_basic: Basic,
• client_secret_post: ???,
• client_secret_jwt: ???,
• private_key_jwt: ???,
• none: obviously none.

I've looked at some open source implementations, nimbus' and OAuth-Apis', but they don't seem to handle this minor issue (they only respond with the generic error response defined in OAuth2 rfc6749#section-5.2.)

If there are no predefined keywords, then I suppose I'll have to make up my own. But it would be great if they exist.

Answer 1

The authoritative list for these is at IANA. There, you can find these handfuls:

• Basic
• Bearer
• Digest
• HOBA
• Mutual
• Negotiate
• OAuth
• SCRAM-SHA1
• SCRAM-SHA-256
• vapid

Which of these is client_secret_post, client_secret_jwt and private_key_jwt? None. You'll need to map those to one from the registered list above or return your own values. Better yet, you can submit a draft to the OAuth working group or the OpenID Foundation to get the above IANA registry updated with something that makes sense for these missing cases. Then, we can all interop :-)