Client secret sent in the request body

Send the client_id and client_secret values in the POST body when calling the token endpoint

Client secret sent as HTTP Basic authentication

Send the client_id and client_secret values in the Authorization header using HTTP Basic

Client secret sent as HTTP Basic authentication without URL encoding (deprecated)

Deprecated because it can cause interoperability and security issues

JWT signed with client secret

JWT assertion signed with an HMAC-based client secret

JWT signed with private key

A JWT assertion signed with a private key (recommended)