diff --git a/src/OpenIddict.Abstractions/Descriptors/OpenIddictApplicationDescriptor.cs b/src/OpenIddict.Abstractions/Descriptors/OpenIddictApplicationDescriptor.cs
index 3bf0c71f..b5f504d6 100644
--- a/src/OpenIddict.Abstractions/Descriptors/OpenIddictApplicationDescriptor.cs
+++ b/src/OpenIddict.Abstractions/Descriptors/OpenIddictApplicationDescriptor.cs
@@ -24,6 +24,12 @@ public class OpenIddictApplicationDescriptor
/// Note: depending on the application manager used when creating it,
/// this property may be hashed or encrypted for security reasons.
///
+ ///
+ /// Note: client authentication based on shared secrets is not recommended and should
+ /// only be used for backward compatibility with legacy applications that only support
+ /// client secrets. When possible, consider using public/private key pairs or TLS client
+ /// certificates instead, as these client authentication methods are significantly safer.
+ ///
public string? ClientSecret { get; set; }
///
diff --git a/src/OpenIddict.Abstractions/Managers/IOpenIddictApplicationManager.cs b/src/OpenIddict.Abstractions/Managers/IOpenIddictApplicationManager.cs
index 49a55504..8099cce6 100644
--- a/src/OpenIddict.Abstractions/Managers/IOpenIddictApplicationManager.cs
+++ b/src/OpenIddict.Abstractions/Managers/IOpenIddictApplicationManager.cs
@@ -76,6 +76,12 @@ public interface IOpenIddictApplicationManager
/// Note: the default implementation automatically hashes the client
/// secret before storing it in the database, for security reasons.
///
+ ///
+ /// Note: client authentication based on shared secrets is not recommended and should
+ /// only be used for backward compatibility with legacy applications that only support
+ /// client secrets. When possible, consider using public/private key pairs or TLS client
+ /// certificates instead, as these client authentication methods are significantly safer.
+ ///
/// The application to create.
/// The client secret associated with the application, if applicable.
/// The that can be used to abort the operation.
@@ -496,13 +502,19 @@ public interface IOpenIddictApplicationManager
/// Note: the default implementation automatically hashes the client
/// secret before storing it in the database, for security reasons.
///
+ ///
+ /// Note: client authentication based on shared secrets is not recommended and should
+ /// only be used for backward compatibility with legacy applications that only support
+ /// client secrets. When possible, consider using public/private key pairs or TLS client
+ /// certificates instead, as these client authentication methods are significantly safer.
+ ///
/// The application to update.
/// The client secret associated with the application.
/// The that can be used to abort the operation.
///
/// A that can be used to monitor the asynchronous operation.
///
- ValueTask UpdateAsync(object application, string secret, CancellationToken cancellationToken = default);
+ ValueTask UpdateAsync(object application, string? secret, CancellationToken cancellationToken = default);
///
/// Validates the application to ensure it's in a consistent state.
@@ -515,6 +527,12 @@ public interface IOpenIddictApplicationManager
///
/// Validates the client_secret associated with an application.
///
+ ///
+ /// Note: client authentication based on shared secrets is not recommended and should
+ /// only be used for backward compatibility with legacy applications that only support
+ /// client secrets. When possible, consider using public/private key pairs or TLS client
+ /// certificates instead, as these client authentication methods are significantly safer.
+ ///
/// The application.
/// The secret that should be compared to the client_secret stored in the database.
/// The that can be used to abort the operation.
diff --git a/src/OpenIddict.Abstractions/Primitives/OpenIddictRequest.cs b/src/OpenIddict.Abstractions/Primitives/OpenIddictRequest.cs
index 1968f9c8..dff8e09b 100644
--- a/src/OpenIddict.Abstractions/Primitives/OpenIddictRequest.cs
+++ b/src/OpenIddict.Abstractions/Primitives/OpenIddictRequest.cs
@@ -218,6 +218,12 @@ public class OpenIddictRequest : OpenIddictMessage
///
/// Gets or sets the "client_secret" parameter.
///
+ ///
+ /// Note: client authentication based on shared secrets is not recommended and should
+ /// only be used for backward compatibility with legacy applications that only support
+ /// client secrets. When possible, consider using public/private key pairs or TLS client
+ /// certificates instead, as these client authentication methods are significantly safer.
+ ///
public string? ClientSecret
{
get => (string?) GetParameter(OpenIddictConstants.Parameters.ClientSecret);
diff --git a/src/OpenIddict.Abstractions/Stores/IOpenIddictApplicationStore.cs b/src/OpenIddict.Abstractions/Stores/IOpenIddictApplicationStore.cs
index 0f6f55d6..f0261aa5 100644
--- a/src/OpenIddict.Abstractions/Stores/IOpenIddictApplicationStore.cs
+++ b/src/OpenIddict.Abstractions/Stores/IOpenIddictApplicationStore.cs
@@ -139,6 +139,12 @@ public interface IOpenIddictApplicationStore where TApplication :
/// Note: depending on the manager used to create the application,
/// the client secret may be hashed for security reasons.
///
+ ///
+ /// Note: client authentication based on shared secrets is not recommended and should
+ /// only be used for backward compatibility with legacy applications that only support
+ /// client secrets. When possible, consider using public/private key pairs or TLS client
+ /// certificates instead, as these client authentication methods are significantly safer.
+ ///
/// The application.
/// The that can be used to abort the operation.
///
@@ -334,6 +340,12 @@ public interface IOpenIddictApplicationStore where TApplication :
/// Note: depending on the manager used to create the application,
/// the client secret may be hashed for security reasons.
///
+ ///
+ /// Note: client authentication based on shared secrets is not recommended and should
+ /// only be used for backward compatibility with legacy applications that only support
+ /// client secrets. When possible, consider using public/private key pairs or TLS client
+ /// certificates instead, as these client authentication methods are significantly safer.
+ ///
/// The application.
/// The client secret associated with the application.
/// The that can be used to abort the operation.
diff --git a/src/OpenIddict.Client/OpenIddictClientRegistration.cs b/src/OpenIddict.Client/OpenIddictClientRegistration.cs
index bd42bc14..58a6add9 100644
--- a/src/OpenIddict.Client/OpenIddictClientRegistration.cs
+++ b/src/OpenIddict.Client/OpenIddictClientRegistration.cs
@@ -30,6 +30,12 @@ public sealed class OpenIddictClientRegistration
///
/// Gets or sets the client secret assigned by the authorization server, if applicable.
///
+ ///
+ /// Note: client authentication based on shared secrets is not recommended and should
+ /// only be used for backward compatibility with legacy applications that only support
+ /// client secrets. When possible, consider using public/private key pairs or TLS client
+ /// certificates instead, as these client authentication methods are significantly safer.
+ ///
public string? ClientSecret { get; set; }
///
diff --git a/src/OpenIddict.Core/Managers/OpenIddictApplicationManager.cs b/src/OpenIddict.Core/Managers/OpenIddictApplicationManager.cs
index bb6178e2..7dd9a27c 100644
--- a/src/OpenIddict.Core/Managers/OpenIddictApplicationManager.cs
+++ b/src/OpenIddict.Core/Managers/OpenIddictApplicationManager.cs
@@ -122,6 +122,12 @@ public class OpenIddictApplicationManager : IOpenIddictApplication
/// Note: the default implementation automatically hashes the client
/// secret before storing it in the database, for security reasons.
///
+ ///
+ /// Note: client authentication based on shared secrets is not recommended and should
+ /// only be used for backward compatibility with legacy applications that only support
+ /// client secrets. When possible, consider using public/private key pairs or TLS client
+ /// certificates instead, as these client authentication methods are significantly safer.
+ ///
/// The application to create.
/// The client secret associated with the application, if applicable.
/// The that can be used to abort the operation.
@@ -1157,6 +1163,12 @@ public class OpenIddictApplicationManager : IOpenIddictApplication
/// Note: the default implementation automatically hashes the client
/// secret before storing it in the database, for security reasons.
///
+ ///
+ /// Note: client authentication based on shared secrets is not recommended and should
+ /// only be used for backward compatibility with legacy applications that only support
+ /// client secrets. When possible, consider using public/private key pairs or TLS client
+ /// certificates instead, as these client authentication methods are significantly safer.
+ ///
/// The application to update.
/// The client secret associated with the application.
/// The that can be used to abort the operation.
@@ -1334,6 +1346,12 @@ public class OpenIddictApplicationManager : IOpenIddictApplication
///
/// Validates the client_secret associated with an application.
///
+ ///
+ /// Note: client authentication based on shared secrets is not recommended and should
+ /// only be used for backward compatibility with legacy applications that only support
+ /// client secrets. When possible, consider using public/private key pairs or TLS client
+ /// certificates instead, as these client authentication methods are significantly safer.
+ ///
/// The application.
/// The secret that should be compared to the client_secret stored in the database.
/// The that can be used to abort the operation.
diff --git a/src/OpenIddict.EntityFramework.Models/OpenIddictEntityFrameworkApplication.cs b/src/OpenIddict.EntityFramework.Models/OpenIddictEntityFrameworkApplication.cs
index f61be38c..bdcc8214 100644
--- a/src/OpenIddict.EntityFramework.Models/OpenIddictEntityFrameworkApplication.cs
+++ b/src/OpenIddict.EntityFramework.Models/OpenIddictEntityFrameworkApplication.cs
@@ -50,6 +50,12 @@ public class OpenIddictEntityFrameworkApplication
/// Note: depending on the application manager used to create this instance,
/// this property may be hashed or encrypted for security reasons.
///
+ ///
+ /// Note: client authentication based on shared secrets is not recommended and should
+ /// only be used for backward compatibility with legacy applications that only support
+ /// client secrets. When possible, consider using public/private key pairs or TLS client
+ /// certificates instead, as these client authentication methods are significantly safer.
+ ///
public virtual string? ClientSecret { get; set; }
///
diff --git a/src/OpenIddict.EntityFrameworkCore.Models/OpenIddictEntityFrameworkCoreApplication.cs b/src/OpenIddict.EntityFrameworkCore.Models/OpenIddictEntityFrameworkCoreApplication.cs
index 79520f3f..4a983a27 100644
--- a/src/OpenIddict.EntityFrameworkCore.Models/OpenIddictEntityFrameworkCoreApplication.cs
+++ b/src/OpenIddict.EntityFrameworkCore.Models/OpenIddictEntityFrameworkCoreApplication.cs
@@ -58,6 +58,12 @@ public class OpenIddictEntityFrameworkCoreApplication
+ ///
+ /// Note: client authentication based on shared secrets is not recommended and should
+ /// only be used for backward compatibility with legacy applications that only support
+ /// client secrets. When possible, consider using public/private key pairs or TLS client
+ /// certificates instead, as these client authentication methods are significantly safer.
+ ///
public virtual string? ClientSecret { get; set; }
///
diff --git a/src/OpenIddict.MongoDb.Models/OpenIddictMongoDbApplication.cs b/src/OpenIddict.MongoDb.Models/OpenIddictMongoDbApplication.cs
index ebae6239..ba631049 100644
--- a/src/OpenIddict.MongoDb.Models/OpenIddictMongoDbApplication.cs
+++ b/src/OpenIddict.MongoDb.Models/OpenIddictMongoDbApplication.cs
@@ -32,6 +32,12 @@ public class OpenIddictMongoDbApplication
/// Note: depending on the application manager used to create this instance,
/// this property may be hashed or encrypted for security reasons.
///
+ ///
+ /// Note: client authentication based on shared secrets is not recommended and should
+ /// only be used for backward compatibility with legacy applications that only support
+ /// client secrets. When possible, consider using public/private key pairs or TLS client
+ /// certificates instead, as these client authentication methods are significantly safer.
+ ///
[BsonElement("client_secret"), BsonIgnoreIfNull]
public virtual string? ClientSecret { get; set; }
diff --git a/src/OpenIddict.Server/OpenIddictServerEvents.cs b/src/OpenIddict.Server/OpenIddictServerEvents.cs
index 350fe8b3..809f30dc 100644
--- a/src/OpenIddict.Server/OpenIddictServerEvents.cs
+++ b/src/OpenIddict.Server/OpenIddictServerEvents.cs
@@ -148,6 +148,12 @@ public static partial class OpenIddictServerEvents
/// The authorization server application is responsible for
/// validating this value to ensure it identifies a registered client.
///
+ ///
+ /// Note: client authentication based on shared secrets is not recommended and should
+ /// only be used for backward compatibility with legacy applications that only support
+ /// client secrets. When possible, consider using public/private key pairs or TLS client
+ /// certificates instead, as these client authentication methods are significantly safer.
+ ///
public string? ClientSecret => Transaction.Request?.ClientSecret;
}
diff --git a/src/OpenIddict.Validation/OpenIddictValidationBuilder.cs b/src/OpenIddict.Validation/OpenIddictValidationBuilder.cs
index f99e26f7..d0c2da48 100644
--- a/src/OpenIddict.Validation/OpenIddictValidationBuilder.cs
+++ b/src/OpenIddict.Validation/OpenIddictValidationBuilder.cs
@@ -672,6 +672,12 @@ public sealed class OpenIddictValidationBuilder
/// Sets the client identifier client_secret used when communicating
/// with the remote authorization server (e.g for introspection).
///
+ ///
+ /// Note: client authentication based on shared secrets is not recommended and should
+ /// only be used for backward compatibility with legacy applications that only support
+ /// client secrets. When possible, consider using public/private key pairs or TLS client
+ /// certificates instead, as these client authentication methods are significantly safer.
+ ///
/// The client secret.
/// The instance.
public OpenIddictValidationBuilder SetClientSecret(string secret)
diff --git a/src/OpenIddict.Validation/OpenIddictValidationOptions.cs b/src/OpenIddict.Validation/OpenIddictValidationOptions.cs
index 70e5de17..a0a2aff8 100644
--- a/src/OpenIddict.Validation/OpenIddictValidationOptions.cs
+++ b/src/OpenIddict.Validation/OpenIddictValidationOptions.cs
@@ -85,6 +85,12 @@ public sealed class OpenIddictValidationOptions
///
/// Gets or sets the client secret sent to the authorization server when using remote validation.
///
+ ///
+ /// Note: client authentication based on shared secrets is not recommended and should
+ /// only be used for backward compatibility with legacy applications that only support
+ /// client secrets. When possible, consider using public/private key pairs or TLS client
+ /// certificates instead, as these client authentication methods are significantly safer.
+ ///
public string? ClientSecret { get; set; }
///