Deprecate ClientAuthenticationMethod BASIC and POST

Closes gh-9220
2020-11-25 07:23:34 -05:00 · 2020-11-25 07:23:34 -05:00 · 58e3235093
parent c002c6f9f3
commit 58e3235093
46 changed files with 209 additions and 142 deletions
--- a/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java
@ -2100,7 +2100,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * 		return ClientRegistration.withRegistrationId("google")
 	 * 			.clientId("google-client-id")
 	 * 			.clientSecret("google-client-secret")
-	 * 			.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
+	 * 			.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
 	 * 			.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
 	 * 			.redirectUri("{baseUrl}/login/oauth2/code/{registrationId}")
 	 * 			.scope("openid", "profile", "email", "address", "phone")
@ -2201,7 +2201,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * 		return ClientRegistration.withRegistrationId("google")
 	 * 			.clientId("google-client-id")
 	 * 			.clientSecret("google-client-secret")
-	 * 			.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
+	 * 			.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
 	 * 			.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
 	 * 			.redirectUri("{baseUrl}/login/oauth2/code/{registrationId}")
 	 * 			.scope("openid", "profile", "email", "address", "phone")
--- a/config/src/main/java/org/springframework/security/config/oauth2/client/CommonOAuth2Provider.java
+++ b/config/src/main/java/org/springframework/security/config/oauth2/client/CommonOAuth2Provider.java
@ -36,8 +36,8 @@ public enum CommonOAuth2Provider {

 		@Override
 		public Builder getBuilder(String registrationId) {
-			ClientRegistration.Builder builder = getBuilder(registrationId, ClientAuthenticationMethod.BASIC,
-					DEFAULT_REDIRECT_URL);
+			ClientRegistration.Builder builder = getBuilder(registrationId,
+					ClientAuthenticationMethod.CLIENT_SECRET_BASIC, DEFAULT_REDIRECT_URL);
 			builder.scope("openid", "profile", "email");
 			builder.authorizationUri("https://accounts.google.com/o/oauth2/v2/auth");
 			builder.tokenUri("https://www.googleapis.com/oauth2/v4/token");
@ -55,8 +55,8 @@ public enum CommonOAuth2Provider {

 		@Override
 		public Builder getBuilder(String registrationId) {
-			ClientRegistration.Builder builder = getBuilder(registrationId, ClientAuthenticationMethod.BASIC,
-					DEFAULT_REDIRECT_URL);
+			ClientRegistration.Builder builder = getBuilder(registrationId,
+					ClientAuthenticationMethod.CLIENT_SECRET_BASIC, DEFAULT_REDIRECT_URL);
 			builder.scope("read:user");
 			builder.authorizationUri("https://github.com/login/oauth/authorize");
 			builder.tokenUri("https://github.com/login/oauth/access_token");
@ -72,8 +72,8 @@ public enum CommonOAuth2Provider {

 		@Override
 		public Builder getBuilder(String registrationId) {
-			ClientRegistration.Builder builder = getBuilder(registrationId, ClientAuthenticationMethod.POST,
-					DEFAULT_REDIRECT_URL);
+			ClientRegistration.Builder builder = getBuilder(registrationId,
+					ClientAuthenticationMethod.CLIENT_SECRET_POST, DEFAULT_REDIRECT_URL);
 			builder.scope("public_profile", "email");
 			builder.authorizationUri("https://www.facebook.com/v2.8/dialog/oauth");
 			builder.tokenUri("https://graph.facebook.com/v2.8/oauth/access_token");
@ -89,8 +89,8 @@ public enum CommonOAuth2Provider {

 		@Override
 		public Builder getBuilder(String registrationId) {
-			ClientRegistration.Builder builder = getBuilder(registrationId, ClientAuthenticationMethod.BASIC,
-					DEFAULT_REDIRECT_URL);
+			ClientRegistration.Builder builder = getBuilder(registrationId,
+					ClientAuthenticationMethod.CLIENT_SECRET_BASIC, DEFAULT_REDIRECT_URL);
 			builder.scope("openid", "profile", "email");
 			builder.userNameAttributeName(IdTokenClaimNames.SUB);
 			builder.clientName("Okta");
--- a/config/src/main/resources/META-INF/spring.schemas
+++ b/config/src/main/resources/META-INF/spring.schemas
@ -16,7 +16,8 @@ http\://www.springframework.org/schema/security/spring-security-2.0.xsd=org/spri
 http\://www.springframework.org/schema/security/spring-security-2.0.1.xsd=org/springframework/security/config/spring-security-2.0.1.xsd
 http\://www.springframework.org/schema/security/spring-security-2.0.2.xsd=org/springframework/security/config/spring-security-2.0.2.xsd
 http\://www.springframework.org/schema/security/spring-security-2.0.4.xsd=org/springframework/security/config/spring-security-2.0.4.xsd
-https\://www.springframework.org/schema/security/spring-security.xsd=org/springframework/security/config/spring-security-5.4.xsd
+https\://www.springframework.org/schema/security/spring-security.xsd=org/springframework/security/config/spring-security-5.5.xsd
+https\://www.springframework.org/schema/security/spring-security-5.5.xsd=org/springframework/security/config/spring-security-5.5.xsd
 https\://www.springframework.org/schema/security/spring-security-5.4.xsd=org/springframework/security/config/spring-security-5.4.xsd
 https\://www.springframework.org/schema/security/spring-security-5.3.xsd=org/springframework/security/config/spring-security-5.3.xsd
 https\://www.springframework.org/schema/security/spring-security-5.2.xsd=org/springframework/security/config/spring-security-5.2.xsd
--- a/config/src/main/resources/org/springframework/security/config/spring-security-5.5.rnc
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-5.5.rnc
@ -526,8 +526,8 @@ client-registration.attlist &=
 	## The client secret.
 	attribute client-secret {xsd:token}?
 client-registration.attlist &=
-	## The method used to authenticate the client with the provider. The supported values are basic, post and none (public clients).
-	attribute client-authentication-method {"basic" | "post" | "none"}?
+	## The method used to authenticate the client with the provider. The supported values are client_secret_basic, client_secret_post and none (public clients).
+	attribute client-authentication-method {"client_secret_basic" | "basic" | "client_secret_post" | "post" | "none"}?
 client-registration.attlist &=
 	## The OAuth 2.0 Authorization Framework defines four Authorization Grant types. The supported values are authorization_code, client_credentials, password and implicit.
 	attribute authorization-grant-type {"authorization_code" | "client_credentials" | "password" | "implicit"}?
--- a/config/src/main/resources/org/springframework/security/config/spring-security-5.5.xsd
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-5.5.xsd
@ -1657,12 +1657,14 @@
      <xs:attribute name="client-authentication-method">
         <xs:annotation>
            <xs:documentation>The method used to authenticate the client with the provider. The supported values are
-                basic, post and none (public clients).
+                client_secret_basic, client_secret_post and none (public clients).
                </xs:documentation>
         </xs:annotation>
         <xs:simpleType>
            <xs:restriction base="xs:token">
+               <xs:enumeration value="client_secret_basic"/>
               <xs:enumeration value="basic"/>
+               <xs:enumeration value="client_secret_post"/>
               <xs:enumeration value="post"/>
               <xs:enumeration value="none"/>
            </xs:restriction>
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2ClientConfigurerTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2ClientConfigurerTests.java
@ -113,7 +113,7 @@ public class OAuth2ClientConfigurerTests {
 				.registrationId("registration-1")
 				.clientId("client-1")
 				.clientSecret("secret")
-				.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
+				.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
 				.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
 				.redirectUri("{baseUrl}/client-1")
 				.scope("user")
--- a/config/src/test/java/org/springframework/security/config/oauth2/client/ClientRegistrationsBeanDefinitionParserTests.java
+++ b/config/src/test/java/org/springframework/security/config/oauth2/client/ClientRegistrationsBeanDefinitionParserTests.java
@ -152,7 +152,8 @@ public class ClientRegistrationsBeanDefinitionParserTests {
 		assertThat(googleRegistration.getRegistrationId()).isEqualTo("google-login");
 		assertThat(googleRegistration.getClientId()).isEqualTo("google-client-id");
 		assertThat(googleRegistration.getClientSecret()).isEqualTo("google-client-secret");
-		assertThat(googleRegistration.getClientAuthenticationMethod()).isEqualTo(ClientAuthenticationMethod.BASIC);
+		assertThat(googleRegistration.getClientAuthenticationMethod())
+				.isEqualTo(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
 		assertThat(googleRegistration.getAuthorizationGrantType()).isEqualTo(AuthorizationGrantType.AUTHORIZATION_CODE);
 		assertThat(googleRegistration.getRedirectUri()).isEqualTo("{baseUrl}/{action}/oauth2/code/{registrationId}");
 		assertThat(googleRegistration.getScopes()).isNull();
@ -180,7 +181,8 @@ public class ClientRegistrationsBeanDefinitionParserTests {
 		assertThat(googleRegistration.getRegistrationId()).isEqualTo("google-login");
 		assertThat(googleRegistration.getClientId()).isEqualTo("google-client-id");
 		assertThat(googleRegistration.getClientSecret()).isEqualTo("google-client-secret");
-		assertThat(googleRegistration.getClientAuthenticationMethod()).isEqualTo(ClientAuthenticationMethod.BASIC);
+		assertThat(googleRegistration.getClientAuthenticationMethod())
+				.isEqualTo(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
 		assertThat(googleRegistration.getAuthorizationGrantType()).isEqualTo(AuthorizationGrantType.AUTHORIZATION_CODE);
 		assertThat(googleRegistration.getRedirectUri()).isEqualTo("{baseUrl}/login/oauth2/code/{registrationId}");
 		assertThat(googleRegistration.getScopes())
@ -203,7 +205,8 @@ public class ClientRegistrationsBeanDefinitionParserTests {
 		assertThat(githubRegistration.getRegistrationId()).isEqualTo("github-login");
 		assertThat(githubRegistration.getClientId()).isEqualTo("github-client-id");
 		assertThat(githubRegistration.getClientSecret()).isEqualTo("github-client-secret");
-		assertThat(githubRegistration.getClientAuthenticationMethod()).isEqualTo(ClientAuthenticationMethod.BASIC);
+		assertThat(githubRegistration.getClientAuthenticationMethod())
+				.isEqualTo(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
 		assertThat(githubRegistration.getAuthorizationGrantType()).isEqualTo(AuthorizationGrantType.AUTHORIZATION_CODE);
 		assertThat(githubRegistration.getRedirectUri()).isEqualTo("{baseUrl}/login/oauth2/code/{registrationId}");
 		assertThat(googleRegistration.getScopes())
--- a/config/src/test/java/org/springframework/security/config/oauth2/client/CommonOAuth2ProviderTests.java
+++ b/config/src/test/java/org/springframework/security/config/oauth2/client/CommonOAuth2ProviderTests.java
@ -46,7 +46,8 @@ public class CommonOAuth2ProviderTests {
 		assertThat(providerDetails.getUserInfoEndpoint().getUserNameAttributeName()).isEqualTo(IdTokenClaimNames.SUB);
 		assertThat(providerDetails.getJwkSetUri()).isEqualTo("https://www.googleapis.com/oauth2/v3/certs");
 		assertThat(providerDetails.getIssuerUri()).isEqualTo("https://accounts.google.com");
-		assertThat(registration.getClientAuthenticationMethod()).isEqualTo(ClientAuthenticationMethod.BASIC);
+		assertThat(registration.getClientAuthenticationMethod())
+				.isEqualTo(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
 		assertThat(registration.getAuthorizationGrantType()).isEqualTo(AuthorizationGrantType.AUTHORIZATION_CODE);
 		assertThat(registration.getRedirectUri()).isEqualTo(DEFAULT_REDIRECT_URL);
 		assertThat(registration.getScopes()).containsOnly("openid", "profile", "email");
@ -63,7 +64,8 @@ public class CommonOAuth2ProviderTests {
 		assertThat(providerDetails.getUserInfoEndpoint().getUri()).isEqualTo("https://api.github.com/user");
 		assertThat(providerDetails.getUserInfoEndpoint().getUserNameAttributeName()).isEqualTo("id");
 		assertThat(providerDetails.getJwkSetUri()).isNull();
-		assertThat(registration.getClientAuthenticationMethod()).isEqualTo(ClientAuthenticationMethod.BASIC);
+		assertThat(registration.getClientAuthenticationMethod())
+				.isEqualTo(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
 		assertThat(registration.getAuthorizationGrantType()).isEqualTo(AuthorizationGrantType.AUTHORIZATION_CODE);
 		assertThat(registration.getRedirectUri()).isEqualTo(DEFAULT_REDIRECT_URL);
 		assertThat(registration.getScopes()).containsOnly("read:user");
@ -81,7 +83,8 @@ public class CommonOAuth2ProviderTests {
 				.isEqualTo("https://graph.facebook.com/me?fields=id,name,email");
 		assertThat(providerDetails.getUserInfoEndpoint().getUserNameAttributeName()).isEqualTo("id");
 		assertThat(providerDetails.getJwkSetUri()).isNull();
-		assertThat(registration.getClientAuthenticationMethod()).isEqualTo(ClientAuthenticationMethod.POST);
+		assertThat(registration.getClientAuthenticationMethod())
+				.isEqualTo(ClientAuthenticationMethod.CLIENT_SECRET_POST);
 		assertThat(registration.getAuthorizationGrantType()).isEqualTo(AuthorizationGrantType.AUTHORIZATION_CODE);
 		assertThat(registration.getRedirectUri()).isEqualTo(DEFAULT_REDIRECT_URL);
 		assertThat(registration.getScopes()).containsOnly("public_profile", "email");
@ -100,7 +103,8 @@ public class CommonOAuth2ProviderTests {
 		assertThat(providerDetails.getUserInfoEndpoint().getUri()).isEqualTo("https://example.com/info");
 		assertThat(providerDetails.getUserInfoEndpoint().getUserNameAttributeName()).isEqualTo(IdTokenClaimNames.SUB);
 		assertThat(providerDetails.getJwkSetUri()).isEqualTo("https://example.com/jwkset");
-		assertThat(registration.getClientAuthenticationMethod()).isEqualTo(ClientAuthenticationMethod.BASIC);
+		assertThat(registration.getClientAuthenticationMethod())
+				.isEqualTo(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
 		assertThat(registration.getAuthorizationGrantType()).isEqualTo(AuthorizationGrantType.AUTHORIZATION_CODE);
 		assertThat(registration.getRedirectUri()).isEqualTo(DEFAULT_REDIRECT_URL);
 		assertThat(registration.getScopes()).containsOnly("openid", "profile", "email");
--- a/config/src/test/resources/org/springframework/security/config/http/OAuth2LoginBeanDefinitionParserTests-SingleClientRegistration.xml
+++ b/config/src/test/resources/org/springframework/security/config/http/OAuth2LoginBeanDefinitionParserTests-SingleClientRegistration.xml
@ -34,7 +34,7 @@
 		<client-registration registration-id="google-login"
 							 client-id="google-client-id"
 							 client-secret="google-client-secret"
-							 client-authentication-method="basic"
+							 client-authentication-method="client_secret_basic"
 							 authorization-grant-type="authorization_code"
 							 redirect-uri="{baseUrl}/login/oauth2/code/{registrationId}"
 							 scope="openid,profile,email"
--- a/config/src/test/resources/org/springframework/security/config/oauth2/client/google-github-registration.xml
+++ b/config/src/test/resources/org/springframework/security/config/oauth2/client/google-github-registration.xml
@ -27,7 +27,7 @@
 		<client-registration registration-id="google-login"
 							 client-id="google-client-id"
 							 client-secret="google-client-secret"
-							 client-authentication-method="basic"
+							 client-authentication-method="client_secret_basic"
 							 authorization-grant-type="authorization_code"
 							 redirect-uri="{baseUrl}/login/oauth2/code/{registrationId}"
 							 scope="openid,profile,email"
@ -36,7 +36,7 @@
 		<client-registration registration-id="github-login"
 							 client-id="github-client-id"
 							 client-secret="github-client-secret"
-							 client-authentication-method="basic"
+							 client-authentication-method="client_secret_basic"
 							 authorization-grant-type="authorization_code"
 							 redirect-uri="{baseUrl}/login/oauth2/code/{registrationId}"
 							 scope="read:user"
--- a/config/src/test/resources/org/springframework/security/config/oauth2/client/google-registration.xml
+++ b/config/src/test/resources/org/springframework/security/config/oauth2/client/google-registration.xml
@ -27,7 +27,7 @@
 		<client-registration registration-id="google-login"
 							 client-id="google-client-id"
 							 client-secret="google-client-secret"
-							 client-authentication-method="basic"
+							 client-authentication-method="client_secret_basic"
 							 authorization-grant-type="authorization_code"
 							 redirect-uri="{baseUrl}/login/oauth2/code/{registrationId}"
 							 scope="openid,profile,email"
--- a/docs/manual/src/docs/asciidoc/_includes/servlet/appendix/namespace.adoc
+++ b/docs/manual/src/docs/asciidoc/_includes/servlet/appendix/namespace.adoc
@ -1046,7 +1046,7 @@ The client secret.
 [[nsa-client-registration-client-authentication-method]]
 * **client-authentication-method**
 The method used to authenticate the Client with the Provider.
-The supported values are *basic*, *post* and *none* https://tools.ietf.org/html/rfc6749#section-2.1[(public clients)].
+The supported values are *client_secret_basic*, *client_secret_post* and *none* https://tools.ietf.org/html/rfc6749#section-2.1[(public clients)].


 [[nsa-client-registration-authorization-grant-type]]
--- a/docs/manual/src/docs/asciidoc/_includes/servlet/oauth2/oauth2-client.adoc
+++ b/docs/manual/src/docs/asciidoc/_includes/servlet/oauth2/oauth2-client.adoc
@ -205,7 +205,7 @@ public final class ClientRegistration {
 <2> `clientId`: The client identifier.
 <3> `clientSecret`: The client secret.
 <4> `clientAuthenticationMethod`: The method used to authenticate the Client with the Provider.
-The supported values are *basic*, *post* and *none* https://tools.ietf.org/html/rfc6749#section-2.1[(public clients)].
+The supported values are *client_secret_basic*, *client_secret_post* and *none* https://tools.ietf.org/html/rfc6749#section-2.1[(public clients)].
 <5> `authorizationGrantType`: The OAuth 2.0 Authorization Framework defines four https://tools.ietf.org/html/rfc6749#section-1.3[Authorization Grant] types.
 The supported values are `authorization_code`, `client_credentials` and `password`.
 <6> `redirectUri`: The client's registered redirect URI that the _Authorization Server_ redirects the end-user's user-agent
--- a/docs/manual/src/docs/asciidoc/_includes/servlet/oauth2/oauth2-login.adoc
+++ b/docs/manual/src/docs/asciidoc/_includes/servlet/oauth2/oauth2-login.adoc
@ -266,7 +266,7 @@ public class OAuth2LoginConfig {
 		return ClientRegistration.withRegistrationId("google")
 			.clientId("google-client-id")
 			.clientSecret("google-client-secret")
-			.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
+			.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
 			.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
 			.redirectUri("{baseUrl}/login/oauth2/code/{registrationId}")
 			.scope("openid", "profile", "email", "address", "phone")
@ -295,7 +295,7 @@ class OAuth2LoginConfig {
        return ClientRegistration.withRegistrationId("google")
                .clientId("google-client-id")
                .clientSecret("google-client-secret")
-                .clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
+                .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
                .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
                .redirectUri("{baseUrl}/login/oauth2/code/{registrationId}")
                .scope("openid", "profile", "email", "address", "phone")
@ -390,7 +390,7 @@ public class OAuth2LoginConfig {
 		return ClientRegistration.withRegistrationId("google")
 			.clientId("google-client-id")
 			.clientSecret("google-client-secret")
-			.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
+			.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
 			.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
 			.redirectUri("{baseUrl}/login/oauth2/code/{registrationId}")
 			.scope("openid", "profile", "email", "address", "phone")
@ -433,7 +433,7 @@ class OAuth2LoginConfig {
        return ClientRegistration.withRegistrationId("google")
                .clientId("google-client-id")
                .clientSecret("google-client-secret")
-                .clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
+                .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
                .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
                .redirectUri("{baseUrl}/login/oauth2/code/{registrationId}")
                .scope("openid", "profile", "email", "address", "phone")
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/AbstractWebClientReactiveOAuth2AccessTokenResponseClient.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/AbstractWebClientReactiveOAuth2AccessTokenResponseClient.java
@ -95,7 +95,8 @@ public abstract class AbstractWebClientReactiveOAuth2AccessTokenResponseClient<T
 		ClientRegistration clientRegistration = clientRegistration(grantRequest);
 		headers.setContentType(MediaType.APPLICATION_FORM_URLENCODED);
 		headers.setAccept(Collections.singletonList(MediaType.APPLICATION_JSON));
-		if (ClientAuthenticationMethod.BASIC.equals(clientRegistration.getClientAuthenticationMethod())) {
+		if (ClientAuthenticationMethod.CLIENT_SECRET_BASIC.equals(clientRegistration.getClientAuthenticationMethod())
+				|| ClientAuthenticationMethod.BASIC.equals(clientRegistration.getClientAuthenticationMethod())) {
 			headers.setBasicAuth(clientRegistration.getClientId(), clientRegistration.getClientSecret());
 		}
 	}
@ -132,10 +133,12 @@ public abstract class AbstractWebClientReactiveOAuth2AccessTokenResponseClient<T
 	BodyInserters.FormInserter<String> populateTokenRequestBody(T grantRequest,
 			BodyInserters.FormInserter<String> body) {
 		ClientRegistration clientRegistration = clientRegistration(grantRequest);
-		if (!ClientAuthenticationMethod.BASIC.equals(clientRegistration.getClientAuthenticationMethod())) {
+		if (!ClientAuthenticationMethod.CLIENT_SECRET_BASIC.equals(clientRegistration.getClientAuthenticationMethod())
+				&& !ClientAuthenticationMethod.BASIC.equals(clientRegistration.getClientAuthenticationMethod())) {
 			body.with(OAuth2ParameterNames.CLIENT_ID, clientRegistration.getClientId());
 		}
-		if (ClientAuthenticationMethod.POST.equals(clientRegistration.getClientAuthenticationMethod())) {
+		if (ClientAuthenticationMethod.CLIENT_SECRET_POST.equals(clientRegistration.getClientAuthenticationMethod())
+				|| ClientAuthenticationMethod.POST.equals(clientRegistration.getClientAuthenticationMethod())) {
 			body.with(OAuth2ParameterNames.CLIENT_SECRET, clientRegistration.getClientSecret());
 		}
 		Set<String> scopes = scopes(grantRequest);
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/NimbusAuthorizationCodeTokenResponseClient.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/NimbusAuthorizationCodeTokenResponseClient.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -91,7 +91,9 @@ public class NimbusAuthorizationCodeTokenResponseClient
 		// Set the credentials to authenticate the client at the token endpoint
 		ClientID clientId = new ClientID(clientRegistration.getClientId());
 		Secret clientSecret = new Secret(clientRegistration.getClientSecret());
-		boolean isPost = ClientAuthenticationMethod.POST.equals(clientRegistration.getClientAuthenticationMethod());
+		boolean isPost = ClientAuthenticationMethod.CLIENT_SECRET_POST
+				.equals(clientRegistration.getClientAuthenticationMethod())
+				|| ClientAuthenticationMethod.POST.equals(clientRegistration.getClientAuthenticationMethod());
 		ClientAuthentication clientAuthentication = isPost ? new ClientSecretPost(clientId, clientSecret)
 				: new ClientSecretBasic(clientId, clientSecret);
 		com.nimbusds.oauth2.sdk.TokenResponse tokenResponse = getTokenResponse(authorizationCodeGrant, tokenUri,
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/OAuth2AuthorizationCodeGrantRequestEntityConverter.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/OAuth2AuthorizationCodeGrantRequestEntityConverter.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -80,10 +80,12 @@ public class OAuth2AuthorizationCodeGrantRequestEntityConverter
 		if (redirectUri != null) {
 			formParameters.add(OAuth2ParameterNames.REDIRECT_URI, redirectUri);
 		}
-		if (!ClientAuthenticationMethod.BASIC.equals(clientRegistration.getClientAuthenticationMethod())) {
+		if (!ClientAuthenticationMethod.CLIENT_SECRET_BASIC.equals(clientRegistration.getClientAuthenticationMethod())
+				&& !ClientAuthenticationMethod.BASIC.equals(clientRegistration.getClientAuthenticationMethod())) {
 			formParameters.add(OAuth2ParameterNames.CLIENT_ID, clientRegistration.getClientId());
 		}
-		if (ClientAuthenticationMethod.POST.equals(clientRegistration.getClientAuthenticationMethod())) {
+		if (ClientAuthenticationMethod.CLIENT_SECRET_POST.equals(clientRegistration.getClientAuthenticationMethod())
+				|| ClientAuthenticationMethod.POST.equals(clientRegistration.getClientAuthenticationMethod())) {
 			formParameters.add(OAuth2ParameterNames.CLIENT_SECRET, clientRegistration.getClientSecret());
 		}
 		if (codeVerifier != null) {
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/OAuth2AuthorizationGrantRequestEntityUtils.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/OAuth2AuthorizationGrantRequestEntityUtils.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -46,7 +46,8 @@ final class OAuth2AuthorizationGrantRequestEntityUtils {
 	static HttpHeaders getTokenRequestHeaders(ClientRegistration clientRegistration) {
 		HttpHeaders headers = new HttpHeaders();
 		headers.addAll(DEFAULT_TOKEN_REQUEST_HEADERS);
-		if (ClientAuthenticationMethod.BASIC.equals(clientRegistration.getClientAuthenticationMethod())) {
+		if (ClientAuthenticationMethod.CLIENT_SECRET_BASIC.equals(clientRegistration.getClientAuthenticationMethod())
+				|| ClientAuthenticationMethod.BASIC.equals(clientRegistration.getClientAuthenticationMethod())) {
 			headers.setBasicAuth(clientRegistration.getClientId(), clientRegistration.getClientSecret());
 		}
 		return headers;
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/OAuth2ClientCredentialsGrantRequestEntityConverter.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/OAuth2ClientCredentialsGrantRequestEntityConverter.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -76,7 +76,8 @@ public class OAuth2ClientCredentialsGrantRequestEntityConverter
 			formParameters.add(OAuth2ParameterNames.SCOPE,
 					StringUtils.collectionToDelimitedString(clientRegistration.getScopes(), " "));
 		}
-		if (ClientAuthenticationMethod.POST.equals(clientRegistration.getClientAuthenticationMethod())) {
+		if (ClientAuthenticationMethod.CLIENT_SECRET_POST.equals(clientRegistration.getClientAuthenticationMethod())
+				|| ClientAuthenticationMethod.POST.equals(clientRegistration.getClientAuthenticationMethod())) {
 			formParameters.add(OAuth2ParameterNames.CLIENT_ID, clientRegistration.getClientId());
 			formParameters.add(OAuth2ParameterNames.CLIENT_SECRET, clientRegistration.getClientSecret());
 		}
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/OAuth2PasswordGrantRequestEntityConverter.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/OAuth2PasswordGrantRequestEntityConverter.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -77,7 +77,8 @@ public class OAuth2PasswordGrantRequestEntityConverter
 			formParameters.add(OAuth2ParameterNames.SCOPE,
 					StringUtils.collectionToDelimitedString(clientRegistration.getScopes(), " "));
 		}
-		if (ClientAuthenticationMethod.POST.equals(clientRegistration.getClientAuthenticationMethod())) {
+		if (ClientAuthenticationMethod.CLIENT_SECRET_POST.equals(clientRegistration.getClientAuthenticationMethod())
+				|| ClientAuthenticationMethod.POST.equals(clientRegistration.getClientAuthenticationMethod())) {
 			formParameters.add(OAuth2ParameterNames.CLIENT_ID, clientRegistration.getClientId());
 			formParameters.add(OAuth2ParameterNames.CLIENT_SECRET, clientRegistration.getClientSecret());
 		}
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/OAuth2RefreshTokenGrantRequestEntityConverter.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/OAuth2RefreshTokenGrantRequestEntityConverter.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -77,7 +77,8 @@ public class OAuth2RefreshTokenGrantRequestEntityConverter
 			formParameters.add(OAuth2ParameterNames.SCOPE,
 					StringUtils.collectionToDelimitedString(refreshTokenGrantRequest.getScopes(), " "));
 		}
-		if (ClientAuthenticationMethod.POST.equals(clientRegistration.getClientAuthenticationMethod())) {
+		if (ClientAuthenticationMethod.CLIENT_SECRET_POST.equals(clientRegistration.getClientAuthenticationMethod())
+				|| ClientAuthenticationMethod.POST.equals(clientRegistration.getClientAuthenticationMethod())) {
 			formParameters.add(OAuth2ParameterNames.CLIENT_ID, clientRegistration.getClientId());
 			formParameters.add(OAuth2ParameterNames.CLIENT_SECRET, clientRegistration.getClientSecret());
 		}
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/StdConverters.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/StdConverters.java
@ -50,11 +50,13 @@ abstract class StdConverters {
 		@Override
 		public ClientAuthenticationMethod convert(JsonNode jsonNode) {
 			String value = JsonNodeUtils.findStringValue(jsonNode, "value");
-			if (ClientAuthenticationMethod.BASIC.getValue().equalsIgnoreCase(value)) {
-				return ClientAuthenticationMethod.BASIC;
+			if (ClientAuthenticationMethod.CLIENT_SECRET_BASIC.getValue().equalsIgnoreCase(value)
+					|| ClientAuthenticationMethod.BASIC.getValue().equalsIgnoreCase(value)) {
+				return ClientAuthenticationMethod.CLIENT_SECRET_BASIC;
 			}
-			if (ClientAuthenticationMethod.POST.getValue().equalsIgnoreCase(value)) {
-				return ClientAuthenticationMethod.POST;
+			if (ClientAuthenticationMethod.CLIENT_SECRET_POST.getValue().equalsIgnoreCase(value)
+					|| ClientAuthenticationMethod.POST.getValue().equalsIgnoreCase(value)) {
+				return ClientAuthenticationMethod.CLIENT_SECRET_POST;
 			}
 			if (ClientAuthenticationMethod.NONE.getValue().equalsIgnoreCase(value)) {
 				return ClientAuthenticationMethod.NONE;
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistration.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistration.java
@ -647,7 +647,7 @@ public final class ClientRegistration implements Serializable {
 					&& !StringUtils.hasText(this.clientSecret)) {
 				return ClientAuthenticationMethod.NONE;
 			}
-			return ClientAuthenticationMethod.BASIC;
+			return ClientAuthenticationMethod.CLIENT_SECRET_BASIC;
 		}

 		private ProviderDetails createProviderDetails(ClientRegistration clientRegistration) {
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistrations.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistrations.java
@ -269,17 +269,18 @@ public final class ClientRegistrations {
 		if (metadataAuthMethods == null || metadataAuthMethods
 				.contains(com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod.CLIENT_SECRET_BASIC)) {
 			// If null, the default includes client_secret_basic
-			return ClientAuthenticationMethod.BASIC;
+			return ClientAuthenticationMethod.CLIENT_SECRET_BASIC;
 		}
 		if (metadataAuthMethods.contains(com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod.CLIENT_SECRET_POST)) {
-			return ClientAuthenticationMethod.POST;
+			return ClientAuthenticationMethod.CLIENT_SECRET_POST;
 		}
 		if (metadataAuthMethods.contains(com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod.NONE)) {
 			return ClientAuthenticationMethod.NONE;
 		}
-		throw new IllegalArgumentException("Only ClientAuthenticationMethod.BASIC, ClientAuthenticationMethod.POST and "
-				+ "ClientAuthenticationMethod.NONE are supported. The issuer \"" + issuer
-				+ "\" returned a configuration of " + metadataAuthMethods);
+		throw new IllegalArgumentException(
+				"Only ClientAuthenticationMethod.CLIENT_SECRET_BASIC, ClientAuthenticationMethod.CLIENT_SECRET_POST and "
+						+ "ClientAuthenticationMethod.NONE are supported. The issuer \"" + issuer
+						+ "\" returned a configuration of " + metadataAuthMethods);
 	}

 	private interface ThrowingFunction<S, T, E extends Throwable> {
--- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/InMemoryReactiveOAuth2AuthorizedClientServiceTests.java
+++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/InMemoryReactiveOAuth2AuthorizedClientServiceTests.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -62,7 +62,7 @@ public class InMemoryReactiveOAuth2AuthorizedClientServiceTests {
 	// @formatter:off
 	private ClientRegistration clientRegistration = ClientRegistration.withRegistrationId(this.clientRegistrationId)
 			.redirectUri("{baseUrl}/{action}/oauth2/code/{registrationId}")
-			.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
+			.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
 			.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
 			.scope("read:user")
 			.authorizationUri("https://github.com/login/oauth/authorize")
--- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/endpoint/DefaultAuthorizationCodeTokenResponseClientTests.java
+++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/endpoint/DefaultAuthorizationCodeTokenResponseClientTests.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -65,7 +65,7 @@ public class DefaultAuthorizationCodeTokenResponseClientTests {
 				.withRegistrationId("registration-1")
 				.clientId("client-1")
 				.clientSecret("secret")
-				.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
+				.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
 				.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
 				.redirectUri("https://client.com/callback/client-1")
 				.scope("read", "write")
@ -161,7 +161,7 @@ public class DefaultAuthorizationCodeTokenResponseClientTests {
 		// @formatter:on
 		this.server.enqueue(jsonResponse(accessTokenSuccessResponse));
 		ClientRegistration clientRegistration = this.from(this.clientRegistration)
-				.clientAuthenticationMethod(ClientAuthenticationMethod.POST).build();
+				.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_POST).build();
 		this.tokenResponseClient.getTokenResponse(this.authorizationCodeGrantRequest(clientRegistration));
 		RecordedRequest recordedRequest = this.server.takeRequest();
 		assertThat(recordedRequest.getHeader(HttpHeaders.AUTHORIZATION)).isNull();
--- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/endpoint/DefaultClientCredentialsTokenResponseClientTests.java
+++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/endpoint/DefaultClientCredentialsTokenResponseClientTests.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -61,7 +61,7 @@ public class DefaultClientCredentialsTokenResponseClientTests {
 		this.clientRegistration = ClientRegistration.withRegistrationId("registration-1")
 				.clientId("client-1")
 				.clientSecret("secret")
-				.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
+				.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
 				.authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
 				.scope("read", "write")
 				.tokenUri(tokenUri)
@ -160,7 +160,7 @@ public class DefaultClientCredentialsTokenResponseClientTests {
 		// @formatter:on
 		this.server.enqueue(jsonResponse(accessTokenSuccessResponse));
 		ClientRegistration clientRegistration = this.from(this.clientRegistration)
-				.clientAuthenticationMethod(ClientAuthenticationMethod.POST).build();
+				.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_POST).build();
 		OAuth2ClientCredentialsGrantRequest clientCredentialsGrantRequest = new OAuth2ClientCredentialsGrantRequest(
 				clientRegistration);
 		this.tokenResponseClient.getTokenResponse(clientCredentialsGrantRequest);
--- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/endpoint/DefaultPasswordTokenResponseClientTests.java
+++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/endpoint/DefaultPasswordTokenResponseClientTests.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -131,7 +131,7 @@ public class DefaultPasswordTokenResponseClientTests {
 		// @formatter:on
 		this.server.enqueue(jsonResponse(accessTokenSuccessResponse));
 		ClientRegistration clientRegistration = this.clientRegistrationBuilder
-				.clientAuthenticationMethod(ClientAuthenticationMethod.POST).build();
+				.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_POST).build();
 		OAuth2PasswordGrantRequest passwordGrantRequest = new OAuth2PasswordGrantRequest(clientRegistration,
 				this.username, this.password);
 		this.tokenResponseClient.getTokenResponse(passwordGrantRequest);
--- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/endpoint/DefaultRefreshTokenTokenResponseClientTests.java
+++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/endpoint/DefaultRefreshTokenTokenResponseClientTests.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -129,7 +129,7 @@ public class DefaultRefreshTokenTokenResponseClientTests {
 				+ "   \"token_type\": \"bearer\",\n" + "   \"expires_in\": \"3600\"\n" + "}\n";
 		this.server.enqueue(jsonResponse(accessTokenSuccessResponse));
 		ClientRegistration clientRegistration = this.clientRegistrationBuilder
-				.clientAuthenticationMethod(ClientAuthenticationMethod.POST).build();
+				.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_POST).build();
 		OAuth2RefreshTokenGrantRequest refreshTokenGrantRequest = new OAuth2RefreshTokenGrantRequest(clientRegistration,
 				this.accessToken, this.refreshToken);
 		this.tokenResponseClient.getTokenResponse(refreshTokenGrantRequest);
--- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/endpoint/NimbusAuthorizationCodeTokenResponseClientTests.java
+++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/endpoint/NimbusAuthorizationCodeTokenResponseClientTests.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -61,7 +61,7 @@ public class NimbusAuthorizationCodeTokenResponseClientTests {
 	@Before
 	public void setUp() {
 		this.clientRegistrationBuilder = TestClientRegistrations.clientRegistration()
-				.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC);
+				.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
 		this.authorizationRequest = TestOAuth2AuthorizationRequests.request().build();
 		this.authorizationResponse = TestOAuth2AuthorizationResponses.success().build();
 		this.authorizationExchange = new OAuth2AuthorizationExchange(this.authorizationRequest,
--- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/endpoint/OAuth2AuthorizationCodeGrantRequestEntityConverterTests.java
+++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/endpoint/OAuth2AuthorizationCodeGrantRequestEntityConverterTests.java
@ -53,7 +53,7 @@ public class OAuth2AuthorizationCodeGrantRequestEntityConverterTests {
 			.withRegistrationId("registration-1")
 			.clientId("client-1")
 			.clientSecret("secret")
-			.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
+			.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
 			.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
 			.redirectUri("https://client.com/callback/client-1")
 			.scope("read", "write")
--- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/endpoint/OAuth2ClientCredentialsGrantRequestEntityConverterTests.java
+++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/endpoint/OAuth2ClientCredentialsGrantRequestEntityConverterTests.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -48,7 +48,7 @@ public class OAuth2ClientCredentialsGrantRequestEntityConverterTests {
 		ClientRegistration clientRegistration = ClientRegistration.withRegistrationId("registration-1")
 				.clientId("client-1")
 				.clientSecret("secret")
-				.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
+				.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
 				.authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
 				.scope("read", "write")
 				.tokenUri("https://provider.com/oauth2/token")
--- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/endpoint/OAuth2ClientCredentialsGrantRequestTests.java
+++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/endpoint/OAuth2ClientCredentialsGrantRequestTests.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -41,7 +41,7 @@ public class OAuth2ClientCredentialsGrantRequestTests {
 		this.clientRegistration = ClientRegistration.withRegistrationId("registration-1")
 				.clientId("client-1")
 				.clientSecret("secret")
-				.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
+				.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
 				.authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
 				.scope("read", "write")
 				.tokenUri("https://provider.com/oauth2/token")
--- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/endpoint/WebClientReactiveClientCredentialsTokenResponseClientTests.java
+++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/endpoint/WebClientReactiveClientCredentialsTokenResponseClientTests.java
@ -92,7 +92,7 @@ public class WebClientReactiveClientCredentialsTokenResponseClientTests {
 	@Test
 	public void getTokenResponseWhenPostThenSuccess() throws Exception {
 		ClientRegistration registration = this.clientRegistration
-				.clientAuthenticationMethod(ClientAuthenticationMethod.POST).build();
+				.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_POST).build();
 		// @formatter:off
 		enqueueJson("{\n"
 			+ "  \"access_token\":\"MTQ0NjJkZmQ5OTM2NDE1ZTZjNGZmZjI3\",\n"
--- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/endpoint/WebClientReactivePasswordTokenResponseClientTests.java
+++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/endpoint/WebClientReactivePasswordTokenResponseClientTests.java
@ -125,7 +125,7 @@ public class WebClientReactivePasswordTokenResponseClientTests {
 		// @formatter:on
 		this.server.enqueue(jsonResponse(accessTokenSuccessResponse));
 		ClientRegistration clientRegistration = this.clientRegistrationBuilder
-				.clientAuthenticationMethod(ClientAuthenticationMethod.POST).build();
+				.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_POST).build();
 		OAuth2PasswordGrantRequest passwordGrantRequest = new OAuth2PasswordGrantRequest(clientRegistration,
 				this.username, this.password);
 		this.tokenResponseClient.getTokenResponse(passwordGrantRequest).block();
--- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/endpoint/WebClientReactiveRefreshTokenTokenResponseClientTests.java
+++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/endpoint/WebClientReactiveRefreshTokenTokenResponseClientTests.java
@ -129,7 +129,7 @@ public class WebClientReactiveRefreshTokenTokenResponseClientTests {
 		// @formatter:on
 		this.server.enqueue(jsonResponse(accessTokenSuccessResponse));
 		ClientRegistration clientRegistration = this.clientRegistrationBuilder
-				.clientAuthenticationMethod(ClientAuthenticationMethod.POST).build();
+				.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_POST).build();
 		OAuth2RefreshTokenGrantRequest refreshTokenGrantRequest = new OAuth2RefreshTokenGrantRequest(clientRegistration,
 				this.accessToken, this.refreshToken);
 		this.tokenResponseClient.getTokenResponse(refreshTokenGrantRequest).block();
--- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/registration/ClientRegistrationTests.java
+++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/registration/ClientRegistrationTests.java
@ -77,7 +77,7 @@ public class ClientRegistrationTests {
 			ClientRegistration.withRegistrationId(REGISTRATION_ID)
 					.clientId(CLIENT_ID)
 					.clientSecret(CLIENT_SECRET)
-					.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
+					.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
 					.authorizationGrantType(null)
 					.redirectUri(REDIRECT_URI)
 					.scope(SCOPES.toArray(new String[0]))
@ -97,7 +97,7 @@ public class ClientRegistrationTests {
 		ClientRegistration registration = ClientRegistration.withRegistrationId(REGISTRATION_ID)
 				.clientId(CLIENT_ID)
 				.clientSecret(CLIENT_SECRET)
-				.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
+				.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
 				.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
 				.redirectUri(REDIRECT_URI)
 				.scope(SCOPES.toArray(new String[0]))
@ -113,7 +113,8 @@ public class ClientRegistrationTests {
 		assertThat(registration.getRegistrationId()).isEqualTo(REGISTRATION_ID);
 		assertThat(registration.getClientId()).isEqualTo(CLIENT_ID);
 		assertThat(registration.getClientSecret()).isEqualTo(CLIENT_SECRET);
-		assertThat(registration.getClientAuthenticationMethod()).isEqualTo(ClientAuthenticationMethod.BASIC);
+		assertThat(registration.getClientAuthenticationMethod())
+				.isEqualTo(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
 		assertThat(registration.getAuthorizationGrantType()).isEqualTo(AuthorizationGrantType.AUTHORIZATION_CODE);
 		assertThat(registration.getRedirectUri()).isEqualTo(REDIRECT_URI);
 		assertThat(registration.getScopes()).isEqualTo(SCOPES);
@ -135,7 +136,7 @@ public class ClientRegistrationTests {
 			ClientRegistration.withRegistrationId(null)
 					.clientId(CLIENT_ID)
 					.clientSecret(CLIENT_SECRET)
-					.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
+					.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
 					.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
 					.redirectUri(REDIRECT_URI)
 					.scope(SCOPES.toArray(new String[0]))
@ -156,7 +157,7 @@ public class ClientRegistrationTests {
 			ClientRegistration.withRegistrationId(REGISTRATION_ID)
 					.clientId(null)
 					.clientSecret(CLIENT_SECRET)
-					.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
+					.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
 					.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
 					.redirectUri(REDIRECT_URI)
 					.scope(SCOPES.toArray(new String[0]))
@ -176,7 +177,7 @@ public class ClientRegistrationTests {
 		ClientRegistration clientRegistration = ClientRegistration.withRegistrationId(REGISTRATION_ID)
 				.clientId(CLIENT_ID)
 				.clientSecret(null)
-				.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
+				.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
 				.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
 				.redirectUri(REDIRECT_URI)
 				.scope(SCOPES.toArray(new String[0]))
@ -206,7 +207,8 @@ public class ClientRegistrationTests {
 				.clientName(CLIENT_NAME)
 				.build();
 		// @formatter:on
-		assertThat(clientRegistration.getClientAuthenticationMethod()).isEqualTo(ClientAuthenticationMethod.BASIC);
+		assertThat(clientRegistration.getClientAuthenticationMethod())
+				.isEqualTo(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
 	}

 	@Test
@ -255,7 +257,7 @@ public class ClientRegistrationTests {
 			ClientRegistration.withRegistrationId(REGISTRATION_ID)
 					.clientId(CLIENT_ID)
 					.clientSecret(CLIENT_SECRET)
-					.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
+					.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
 					.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
 					.redirectUri(null)
 					.scope(SCOPES.toArray(new String[0]))
@ -276,7 +278,7 @@ public class ClientRegistrationTests {
 		ClientRegistration.withRegistrationId(REGISTRATION_ID)
 				.clientId(CLIENT_ID)
 				.clientSecret(CLIENT_SECRET)
-				.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
+				.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
 				.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
 				.redirectUri(REDIRECT_URI)
 				.scope((String[]) null)
@ -296,7 +298,7 @@ public class ClientRegistrationTests {
 			ClientRegistration.withRegistrationId(REGISTRATION_ID)
 					.clientId(CLIENT_ID)
 					.clientSecret(CLIENT_SECRET)
-					.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
+					.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
 					.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
 					.redirectUri(REDIRECT_URI)
 					.scope(SCOPES.toArray(new String[0]))
@ -317,7 +319,7 @@ public class ClientRegistrationTests {
 			ClientRegistration.withRegistrationId(REGISTRATION_ID)
 					.clientId(CLIENT_ID)
 					.clientSecret(CLIENT_SECRET)
-					.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
+					.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
 					.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
 					.redirectUri(REDIRECT_URI)
 					.scope(SCOPES.toArray(new String[0]))
@ -337,7 +339,7 @@ public class ClientRegistrationTests {
 		ClientRegistration clientRegistration = ClientRegistration.withRegistrationId(REGISTRATION_ID)
 				.clientId(CLIENT_ID)
 				.clientSecret(CLIENT_SECRET)
-				.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
+				.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
 				.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
 				.redirectUri(REDIRECT_URI)
 				.scope(SCOPES.toArray(new String[0]))
@ -356,7 +358,7 @@ public class ClientRegistrationTests {
 		ClientRegistration.withRegistrationId(REGISTRATION_ID)
 				.clientId(CLIENT_ID)
 				.clientSecret(CLIENT_SECRET)
-				.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
+				.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
 				.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
 				.redirectUri(REDIRECT_URI)
 				.scope("scope1")
@ -375,7 +377,7 @@ public class ClientRegistrationTests {
 		ClientRegistration.withRegistrationId(REGISTRATION_ID)
 				.clientId(CLIENT_ID)
 				.clientSecret(CLIENT_SECRET)
-				.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
+				.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
 				.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
 				.redirectUri(REDIRECT_URI)
 				.authorizationUri(AUTHORIZATION_URI)
@ -391,7 +393,7 @@ public class ClientRegistrationTests {
 		ClientRegistration clientRegistration = ClientRegistration.withRegistrationId(REGISTRATION_ID)
 				.clientId(CLIENT_ID)
 				.clientSecret(CLIENT_SECRET)
-				.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
+				.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
 				.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
 				.redirectUri(REDIRECT_URI)
 				.scope(SCOPES.toArray(new String[0]))
@ -413,7 +415,7 @@ public class ClientRegistrationTests {
 		ClientRegistration clientRegistration = ClientRegistration.withRegistrationId(REGISTRATION_ID)
 				.clientId(CLIENT_ID)
 				.clientSecret(CLIENT_SECRET)
-				.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
+				.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
 				.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
 				.redirectUri(REDIRECT_URI)
 				.scope(SCOPES.toArray(new String[0]))
@ -560,7 +562,7 @@ public class ClientRegistrationTests {
 				.registrationId(overriddenId)
 				.clientId(CLIENT_ID)
 				.clientSecret(CLIENT_SECRET)
-				.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
+				.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
 				.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
 				.redirectUri(REDIRECT_URI)
 				.scope(SCOPES.toArray(new String[0]))
@ -579,7 +581,7 @@ public class ClientRegistrationTests {
 		ClientRegistration registration = ClientRegistration.withRegistrationId(REGISTRATION_ID)
 				.clientId(CLIENT_ID)
 				.clientSecret(CLIENT_SECRET)
-				.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
+				.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
 				.authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
 				.scope(SCOPES.toArray(new String[0]))
 				.tokenUri(TOKEN_URI)
@ -589,7 +591,8 @@ public class ClientRegistrationTests {
 		assertThat(registration.getRegistrationId()).isEqualTo(REGISTRATION_ID);
 		assertThat(registration.getClientId()).isEqualTo(CLIENT_ID);
 		assertThat(registration.getClientSecret()).isEqualTo(CLIENT_SECRET);
-		assertThat(registration.getClientAuthenticationMethod()).isEqualTo(ClientAuthenticationMethod.BASIC);
+		assertThat(registration.getClientAuthenticationMethod())
+				.isEqualTo(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
 		assertThat(registration.getAuthorizationGrantType()).isEqualTo(AuthorizationGrantType.CLIENT_CREDENTIALS);
 		assertThat(registration.getScopes()).isEqualTo(SCOPES);
 		assertThat(registration.getProviderDetails().getTokenUri()).isEqualTo(TOKEN_URI);
@ -598,17 +601,18 @@ public class ClientRegistrationTests {

 	@Test
 	public void buildWhenClientCredentialsGrantRegistrationIdIsNullThenThrowIllegalArgumentException() {
-		assertThatIllegalArgumentException()
-				.isThrownBy(() -> ClientRegistration.withRegistrationId(null).clientId(CLIENT_ID)
-						.clientSecret(CLIENT_SECRET).clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
+		assertThatIllegalArgumentException().isThrownBy(
+				() -> ClientRegistration.withRegistrationId(null).clientId(CLIENT_ID).clientSecret(CLIENT_SECRET)
+						.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
 						.authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS).tokenUri(TOKEN_URI).build());
 	}

 	@Test
 	public void buildWhenClientCredentialsGrantClientIdIsNullThenThrowIllegalArgumentException() {
-		assertThatIllegalArgumentException().isThrownBy(() -> ClientRegistration.withRegistrationId(REGISTRATION_ID)
-				.clientId(null).clientSecret(CLIENT_SECRET).clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
-				.authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS).tokenUri(TOKEN_URI).build());
+		assertThatIllegalArgumentException().isThrownBy(
+				() -> ClientRegistration.withRegistrationId(REGISTRATION_ID).clientId(null).clientSecret(CLIENT_SECRET)
+						.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
+						.authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS).tokenUri(TOKEN_URI).build());
 	}

 	@Test
@ -617,7 +621,7 @@ public class ClientRegistrationTests {
 		ClientRegistration clientRegistration = ClientRegistration.withRegistrationId(REGISTRATION_ID)
 				.clientId(CLIENT_ID)
 				.clientSecret(null)
-				.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
+				.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
 				.authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
 				.tokenUri(TOKEN_URI)
 				.build();
@ -635,15 +639,16 @@ public class ClientRegistrationTests {
 				.tokenUri(TOKEN_URI)
 				.build();
 		// @formatter:on
-		assertThat(clientRegistration.getClientAuthenticationMethod()).isEqualTo(ClientAuthenticationMethod.BASIC);
+		assertThat(clientRegistration.getClientAuthenticationMethod())
+				.isEqualTo(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
 	}

 	@Test
 	public void buildWhenClientCredentialsGrantTokenUriIsNullThenThrowIllegalArgumentException() {
-		assertThatIllegalArgumentException()
-				.isThrownBy(() -> ClientRegistration.withRegistrationId(REGISTRATION_ID).clientId(CLIENT_ID)
-						.clientSecret(CLIENT_SECRET).clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
-						.authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS).tokenUri(null).build());
+		assertThatIllegalArgumentException().isThrownBy(() -> ClientRegistration.withRegistrationId(REGISTRATION_ID)
+				.clientId(CLIENT_ID).clientSecret(CLIENT_SECRET)
+				.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
+				.authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS).tokenUri(null).build());
 	}

 	// gh-6256
@ -665,7 +670,7 @@ public class ClientRegistrationTests {
 		ClientRegistration registration = ClientRegistration.withRegistrationId(REGISTRATION_ID)
 				.clientId(CLIENT_ID)
 				.clientSecret(CLIENT_SECRET)
-				.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
+				.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
 				.authorizationGrantType(AuthorizationGrantType.PASSWORD)
 				.scope(SCOPES.toArray(new String[0]))
 				.tokenUri(TOKEN_URI)
@ -675,7 +680,8 @@ public class ClientRegistrationTests {
 		assertThat(registration.getRegistrationId()).isEqualTo(REGISTRATION_ID);
 		assertThat(registration.getClientId()).isEqualTo(CLIENT_ID);
 		assertThat(registration.getClientSecret()).isEqualTo(CLIENT_SECRET);
-		assertThat(registration.getClientAuthenticationMethod()).isEqualTo(ClientAuthenticationMethod.BASIC);
+		assertThat(registration.getClientAuthenticationMethod())
+				.isEqualTo(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
 		assertThat(registration.getAuthorizationGrantType()).isEqualTo(AuthorizationGrantType.PASSWORD);
 		assertThat(registration.getScopes()).isEqualTo(SCOPES);
 		assertThat(registration.getProviderDetails().getTokenUri()).isEqualTo(TOKEN_URI);
@ -689,7 +695,7 @@ public class ClientRegistrationTests {
 				.isThrownBy(() -> ClientRegistration.withRegistrationId(null)
 						.clientId(CLIENT_ID)
 						.clientSecret(CLIENT_SECRET)
-						.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
+						.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
 						.authorizationGrantType(AuthorizationGrantType.PASSWORD)
 						.tokenUri(TOKEN_URI)
 						.build()
@ -704,7 +710,7 @@ public class ClientRegistrationTests {
 				.withRegistrationId(REGISTRATION_ID)
 				.clientId(null)
 				.clientSecret(CLIENT_SECRET)
-				.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
+				.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
 				.authorizationGrantType(AuthorizationGrantType.PASSWORD)
 				.tokenUri(TOKEN_URI)
 				.build()
@ -718,7 +724,7 @@ public class ClientRegistrationTests {
 		ClientRegistration clientRegistration = ClientRegistration.withRegistrationId(REGISTRATION_ID)
 				.clientId(CLIENT_ID)
 				.clientSecret(null)
-				.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
+				.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
 				.authorizationGrantType(AuthorizationGrantType.PASSWORD)
 				.tokenUri(TOKEN_URI)
 				.build();
@ -736,7 +742,8 @@ public class ClientRegistrationTests {
 				.tokenUri(TOKEN_URI)
 				.build();
 		// @formatter:on
-		assertThat(clientRegistration.getClientAuthenticationMethod()).isEqualTo(ClientAuthenticationMethod.BASIC);
+		assertThat(clientRegistration.getClientAuthenticationMethod())
+				.isEqualTo(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
 	}

 	@Test
@ -746,7 +753,7 @@ public class ClientRegistrationTests {
 				.isThrownBy(() -> ClientRegistration.withRegistrationId(REGISTRATION_ID)
 						.clientId(CLIENT_ID)
 						.clientSecret(CLIENT_SECRET)
-						.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
+						.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
 						.authorizationGrantType(AuthorizationGrantType.PASSWORD)
 						.tokenUri(null)
 						.build()
@ -762,7 +769,7 @@ public class ClientRegistrationTests {
 				.withRegistrationId(REGISTRATION_ID)
 				.clientId(CLIENT_ID)
 				.clientSecret(CLIENT_SECRET)
-				.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
+				.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
 				.authorizationGrantType(customGrantType)
 				.scope(SCOPES.toArray(new String[0]))
 				.tokenUri(TOKEN_URI)
@ -772,7 +779,8 @@ public class ClientRegistrationTests {
 		assertThat(registration.getRegistrationId()).isEqualTo(REGISTRATION_ID);
 		assertThat(registration.getClientId()).isEqualTo(CLIENT_ID);
 		assertThat(registration.getClientSecret()).isEqualTo(CLIENT_SECRET);
-		assertThat(registration.getClientAuthenticationMethod()).isEqualTo(ClientAuthenticationMethod.BASIC);
+		assertThat(registration.getClientAuthenticationMethod())
+				.isEqualTo(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
 		assertThat(registration.getAuthorizationGrantType()).isEqualTo(customGrantType);
 		assertThat(registration.getScopes()).isEqualTo(SCOPES);
 		assertThat(registration.getProviderDetails().getTokenUri()).isEqualTo(TOKEN_URI);
--- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/registration/ClientRegistrationsTests.java
+++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/registration/ClientRegistrationsTests.java
@ -157,7 +157,8 @@ public class ClientRegistrationsTests {
 	}

 	private void assertIssuerMetadata(ClientRegistration registration, ClientRegistration.ProviderDetails provider) {
-		assertThat(registration.getClientAuthenticationMethod()).isEqualTo(ClientAuthenticationMethod.BASIC);
+		assertThat(registration.getClientAuthenticationMethod())
+				.isEqualTo(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
 		assertThat(registration.getAuthorizationGrantType()).isEqualTo(AuthorizationGrantType.AUTHORIZATION_CODE);
 		assertThat(registration.getRegistrationId()).isEqualTo(this.server.getHostName());
 		assertThat(registration.getClientName()).isEqualTo(this.issuer);
@ -262,28 +263,32 @@ public class ClientRegistrationsTests {
 	public void issuerWhenTokenEndpointAuthMethodsNullThenDefaulted() throws Exception {
 		this.response.remove("token_endpoint_auth_methods_supported");
 		ClientRegistration registration = registration("").build();
-		assertThat(registration.getClientAuthenticationMethod()).isEqualTo(ClientAuthenticationMethod.BASIC);
+		assertThat(registration.getClientAuthenticationMethod())
+				.isEqualTo(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
 	}

 	@Test
 	public void issuerWhenOAuth2TokenEndpointAuthMethodsNullThenDefaulted() throws Exception {
 		this.response.remove("token_endpoint_auth_methods_supported");
 		ClientRegistration registration = registrationOAuth2("", null).build();
-		assertThat(registration.getClientAuthenticationMethod()).isEqualTo(ClientAuthenticationMethod.BASIC);
+		assertThat(registration.getClientAuthenticationMethod())
+				.isEqualTo(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
 	}

 	@Test
 	public void issuerWhenTokenEndpointAuthMethodsPostThenMethodIsPost() throws Exception {
 		this.response.put("token_endpoint_auth_methods_supported", Arrays.asList("client_secret_post"));
 		ClientRegistration registration = registration("").build();
-		assertThat(registration.getClientAuthenticationMethod()).isEqualTo(ClientAuthenticationMethod.POST);
+		assertThat(registration.getClientAuthenticationMethod())
+				.isEqualTo(ClientAuthenticationMethod.CLIENT_SECRET_POST);
 	}

 	@Test
 	public void issuerWhenOAuth2TokenEndpointAuthMethodsPostThenMethodIsPost() throws Exception {
 		this.response.put("token_endpoint_auth_methods_supported", Arrays.asList("client_secret_post"));
 		ClientRegistration registration = registrationOAuth2("", null).build();
-		assertThat(registration.getClientAuthenticationMethod()).isEqualTo(ClientAuthenticationMethod.POST);
+		assertThat(registration.getClientAuthenticationMethod())
+				.isEqualTo(ClientAuthenticationMethod.CLIENT_SECRET_POST);
 	}

 	@Test
@ -310,7 +315,7 @@ public class ClientRegistrationsTests {
 		// @formatter:off
 		assertThatIllegalArgumentException()
 				.isThrownBy(() -> registration(""))
-				.withMessageContaining("Only ClientAuthenticationMethod.BASIC, ClientAuthenticationMethod.POST and "
+				.withMessageContaining("Only ClientAuthenticationMethod.CLIENT_SECRET_BASIC, ClientAuthenticationMethod.CLIENT_SECRET_POST and "
 						+ "ClientAuthenticationMethod.NONE are supported. The issuer \"" + this.issuer
 						+ "\" returned a configuration of [tls_client_auth]");
 		// @formatter:on
@ -322,7 +327,7 @@ public class ClientRegistrationsTests {
 		// @formatter:off
 		assertThatIllegalArgumentException()
 				.isThrownBy(() -> registrationOAuth2("", null))
-				.withMessageContaining("Only ClientAuthenticationMethod.BASIC, ClientAuthenticationMethod.POST and "
+				.withMessageContaining("Only ClientAuthenticationMethod.CLIENT_SECRET_BASIC, ClientAuthenticationMethod.CLIENT_SECRET_POST and "
 						+ "ClientAuthenticationMethod.NONE are supported. The issuer \"" + this.issuer
 						+ "\" returned a configuration of [tls_client_auth]");
 		// @formatter:on
--- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/registration/TestClientRegistrations.java
+++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/registration/TestClientRegistrations.java
@ -32,7 +32,7 @@ public final class TestClientRegistrations {
 		// @formatter:off
 		return ClientRegistration.withRegistrationId("registration-id")
 				.redirectUri("{baseUrl}/{action}/oauth2/code/{registrationId}")
-				.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
+				.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
 				.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
 				.scope("read:user")
 				.authorizationUri("https://example.com/login/oauth/authorize")
@ -51,7 +51,7 @@ public final class TestClientRegistrations {
 		// @formatter:off
 		return ClientRegistration.withRegistrationId("registration-id-2")
 				.redirectUri("{baseUrl}/{action}/oauth2/code/{registrationId}")
-				.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
+				.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
 				.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
 				.scope("read:user")
 				.authorizationUri("https://example.com/login/oauth/authorize")
@ -76,7 +76,7 @@ public final class TestClientRegistrations {
 	public static ClientRegistration.Builder password() {
 		// @formatter:off
 		return ClientRegistration.withRegistrationId("password")
-				.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
+				.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
 				.authorizationGrantType(AuthorizationGrantType.PASSWORD)
 				.scope("read", "write")
 				.tokenUri("https://example.com/login/oauth/access_token")
--- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/userinfo/OAuth2UserRequestTests.java
+++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/userinfo/OAuth2UserRequestTests.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -52,7 +52,7 @@ public class OAuth2UserRequestTests {
 		this.clientRegistration = ClientRegistration.withRegistrationId("registration-1")
 				.clientId("client-1")
 				.clientSecret("secret")
-				.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
+				.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
 				.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
 				.redirectUri("https://client.com")
 				.scope(new LinkedHashSet<>(Arrays.asList("scope1", "scope2")))
--- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/DefaultOAuth2AuthorizationRequestResolverTests.java
+++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/DefaultOAuth2AuthorizationRequestResolverTests.java
@ -496,7 +496,7 @@ public class DefaultOAuth2AuthorizationRequestResolverTests {
 		// @formatter:off
 		return ClientRegistration.withRegistrationId("fine-redirect-uri-template-client-registration")
 				.redirectUri("{baseScheme}://{baseHost}{basePort}{basePath}/{action}/oauth2/code/{registrationId}")
-				.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
+				.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
 				.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
 				.scope("read:user")
 				.authorizationUri("https://example.com/login/oauth/authorize")
--- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/OAuth2LoginAuthenticationFilterTests.java
+++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/OAuth2LoginAuthenticationFilterTests.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -223,7 +223,7 @@ public class OAuth2LoginAuthenticationFilterTests {
 		ClientRegistration registrationNotFound = ClientRegistration.withRegistrationId("registration-not-found")
 				.clientId("client-1")
 				.clientSecret("secret")
-				.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
+				.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
 				.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
 				.redirectUri("{baseUrl}/login/oauth2/code/{registrationId}")
 				.scope("user")
--- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/method/annotation/OAuth2AuthorizedClientArgumentResolverTests.java
+++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/method/annotation/OAuth2AuthorizedClientArgumentResolverTests.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -114,7 +114,7 @@ public class OAuth2AuthorizedClientArgumentResolverTests {
 		this.registration1 = ClientRegistration.withRegistrationId("client1")
 				.clientId("client-1")
 				.clientSecret("secret")
-				.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
+				.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
 				.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
 				.redirectUri("{baseUrl}/login/oauth2/code/{registrationId}")
 				.scope("user")
@ -127,7 +127,7 @@ public class OAuth2AuthorizedClientArgumentResolverTests {
 		this.registration2 = ClientRegistration.withRegistrationId("client2")
 				.clientId("client-2")
 				.clientSecret("secret")
-				.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
+				.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
 				.authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
 				.scope("read", "write")
 				.tokenUri("https://provider.com/oauth2/token")
--- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/server/ServerOAuth2AuthorizationCodeAuthenticationTokenConverterTests.java
+++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/server/ServerOAuth2AuthorizationCodeAuthenticationTokenConverterTests.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -61,7 +61,7 @@ public class ServerOAuth2AuthorizationCodeAuthenticationTokenConverterTests {
 	// @formatter:off
 	private ClientRegistration clientRegistration = ClientRegistration.withRegistrationId(this.clientRegistrationId)
 			.redirectUri("{baseUrl}/{action}/oauth2/code/{registrationId}")
-			.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
+			.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
 			.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
 			.scope("read:user")
 			.authorizationUri("https://github.com/login/oauth/authorize")
--- a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/ClientAuthenticationMethod.java
+++ b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/ClientAuthenticationMethod.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -34,10 +34,30 @@ public final class ClientAuthenticationMethod implements Serializable {

 	private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;

+	/**
+	 * @deprecated Use {@link #CLIENT_SECRET_BASIC}
+	 */
+	@Deprecated
 	public static final ClientAuthenticationMethod BASIC = new ClientAuthenticationMethod("basic");

+	/**
+	 * @since 5.5
+	 */
+	public static final ClientAuthenticationMethod CLIENT_SECRET_BASIC = new ClientAuthenticationMethod(
+			"client_secret_basic");
+
+	/**
+	 * @deprecated Use {@link #CLIENT_SECRET_POST}
+	 */
+	@Deprecated
 	public static final ClientAuthenticationMethod POST = new ClientAuthenticationMethod("post");

+	/**
+	 * @since 5.5
+	 */
+	public static final ClientAuthenticationMethod CLIENT_SECRET_POST = new ClientAuthenticationMethod(
+			"client_secret_post");
+
 	/**
 	 * @since 5.2
 	 */
--- a/oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/ClientAuthenticationMethodTests.java
+++ b/oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/ClientAuthenticationMethodTests.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -38,11 +38,21 @@ public class ClientAuthenticationMethodTests {
 		assertThat(ClientAuthenticationMethod.BASIC.getValue()).isEqualTo("basic");
 	}

+	@Test
+	public void getValueWhenAuthenticationMethodClientSecretBasicThenReturnClientSecretBasic() {
+		assertThat(ClientAuthenticationMethod.CLIENT_SECRET_BASIC.getValue()).isEqualTo("client_secret_basic");
+	}
+
 	@Test
 	public void getValueWhenAuthenticationMethodPostThenReturnPost() {
 		assertThat(ClientAuthenticationMethod.POST.getValue()).isEqualTo("post");
 	}

+	@Test
+	public void getValueWhenAuthenticationMethodClientSecretPostThenReturnClientSecretPost() {
+		assertThat(ClientAuthenticationMethod.CLIENT_SECRET_POST.getValue()).isEqualTo("client_secret_post");
+	}
+
 	@Test
 	public void getValueWhenAuthenticationMethodNoneThenReturnNone() {
 		assertThat(ClientAuthenticationMethod.NONE.getValue()).isEqualTo("none");