Client authentication support: private_key_jwt
Identify OAuth 2.0 service provider allows its users to authenticate their clients with a private_key_jwt method.
When an authorization server authenticates its clients with the private_key_jwt method, the clients must send a request that contains an assertion in JWT format, to the token endpoint of the server. And the authorization server must validate the signature and payload of the assertion, which is described as follows.
The discovery endpoint returns a list of supported client authentication methods which indicate that private_key_jwt is supported:
Dynamic client registration endpoint
Please visit the Client metadata section for more details about supported keys:
Setting up OAuth2.0 protocol connection for private_key_jwt
You need to update the settings below:
- Token endpoint authentication method: Set to PrivateKeyJwt
- Register the client's public key jwks to the setting Client's registered jkws which are used for verifying client_assertion or its jwks_uri to the setting: A client's uri from which Safewhere Identify can fetch its jkws that are used for verifying client_assertion. Please note that these 2 settings cannot be set at the same time. Only one of them can be used. Otherwise, the connection cannot be saved.
For the Identify Admin, you can find the options in the OAuth2.0 protocol connection:
For the Safewhere Admin, you can find the option in the OpenID Connect/OAuth2.0 application's connection settings:
For the REST API, you can add the properties named "clientJwks"/ "clientJwksUri" / "tokenEndpointAuthenticationMethod" into its "configuration" connection JSON element.
The client must send a request that contains the following parameters to the token endpoint when using the private_key_jwt method.
|client_assertion_type||The value must be "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"|
|client_assertion||A JWT that contains information for client authentication|
The value of the client_assertion must be a signed JWT that contains information for the client authentication and meet the following requirements:
- Signing: The JWT must be signed using an SHA-256 algorithm.
- The JWT must contain the REQUIRED claims listed below:
- iss: REQUIRED. The Issuer claim that MUST contain the client_id of the OAuth Client.
- sub: REQUIRED. The Subject claim that MUST contain the client_id of the OAuth Client.
- aud: REQUIRED. The Audience claim that identifies the Authorization Server as an intended audience. The Authorization Server MUST verify that it is an intended audience for the token. The Audience SHOULD be the URL of the Authorization Server's Token Endpoint.
- jti: REQUIRED. A unique identifier (JWT ID) for the token, which can be used to prevent reuse of the token. These tokens MUST only be used once, unless conditions for reuse were negotiated between the parties; any such negotiation is beyond the scope of this specification.
- exp: REQUIRED. Expiration time on or after which the ID Token MUST NOT be accepted for processing.
- iat: OPTIONAL. Time at which the JWT was issued.
Request body example:
If the request is valid, Identify OAuth 2.0 authorization server will return an access_token.
ASP.NET MVC Sample
You can use our web application sample to try the Client authentication out.
A couple of keys were added into the web.config:
<add key="IdentifyOauth2:AuthenticationType" value="private_key_jwt" />
<add key="IdentifyOauth2:ClientCertificate" value="3C1FD735A4035E3B78D33444DE5327C393AA282E" />
To enable the private_key_jwt method, you need to set the "IdentifyOauth2:AuthenticationType" setting to "private_key_jwt" and use a signing certificate's public key to generate a correct client_assertion - a JWT that contains information for client authentication.
You can use our jwks sample for configuring the connection.