OIDC Clients must authenticate with the OIDC Provider for the Authorize, Token and Introspect Endpoints. The following authentication scheme is currently supported:

The required scheme for any OIDC Client is determined when the OIDC Client is configured at the OIDC Provider.

Support for other authentication schemes like client_secret_jwt and private_key_jwt will be added as future options, eg. in conjunction with PSD2-support

OIDC Clients requesting access to Protected Resources that uses the OIDC Provider for authorization must in addition authenticate with Resource Servers using Access Tokens from the OIDC Provider. The type of Access Token and also the scheme for passing such tokens to Resources Servers are specific for each of the supported kinds of Protected Resources.