Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

OAuth 2.0 and OpenID Connect

OAuth client authentication methods

search

OAuth client authentication methods

In the context of OAuth 2.0, confidential clients have to authenticate with the authorization server when making requests to the token endpoint. According to RFC6749, "if the client type is confidential, the client and authorization server establish a client authentication method suitable for the security requirements of the authorization server. The authorization server MAY accept any form of client authentication meeting its security requirements."

How does this work?

The OneWelcome Identity Platform supports multiple ways of authenticating OAuth2 clients, compliant with the RFC specification, such as:

  • client_secret_post
  • client_id and client_secret must be sent as form data
  • Client_secret_basic
  • client_id and client_secret must be sent as authorization basic header
  • none must be set for public clients, where no authentication is needed
  • private_key_jwt requires the client to generate a private and public key pair

Private key JWT client authentication

Tto use this client authentication method, the RP has to generate a private and a public key, and configure the public key on the OAuth2 client. For requests to the token API, the RP has to generate a JWT token that is signed with the private key, and the JWT token that is created has to contain a set of mandatory claims.

Example of generating a public and private key

Run the following commands in a terminal:

    1. keytool -genkey -alias <yourOauth2ClientName> -keyalg RSA -keystore TodayApp.jks
    2. keytool -export -alias <yourOauth2ClientName> -file nwU59qy9AsDqftmwLcfmkvOhvuYa -keystore TodayApp.jks
    3. keytool -importkeystore -srckeystore TodayApp.jks -destkeystore TodayApp.p12 -deststoretype PKCS12
    4. openssl pkcs12 -in TodayApp.p12 -nokeys -out pubcert.pem
    5. openssl pkcs12 -in TodayApp.p12 -nodes -nocerts -out privatekey.pem

Example of a token request using private key JWT

    curl --request POST \
      --url https://www.ongo.com/bikes/auth/oauth2.0/v1/token \
      --header 'content-type: application/x-www-form-urlencoded' \
      --data grant_type=refresh_token \
      --data refresh_token=dcde74ce-3fe1-4b12-b5d2-9e7dbeaab51b \
      --data client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer \
      --data client_assertion=<YOUR GENERATED JWT>

The optional and mandatory claims the generated JWT needs to have are below:

Value Description
iss REQUIRED. Issuer. This MUST contain the client_id of the OAuth client.
sub REQUIRED. Subject. This MUST contain the client_id of the OAuth client.
aud REQUIRED. Audience. The aud (audience) claim. Value that identifies the authorization server as an intended audience. The authorization server MUST verify that it is an intended audience for the token. The Audience SHOULD be the URL of the authorization server's token endpoint.
exp REQUIRED. Expiration time on or after which the ID token MUST NOT be accepted for processing.
iat OPTIONAL. Time at which the JWT was issued.

An example of a decoded JWT payload can be seen below:

    {
        "sub": "jwt-bearer-client",
        "aud": [
            "https://www.ongo.com/auth/oauth2.0/v1/access_token",
            "https://www.ongo.com/auth/oauth2.0/v1/revoke",
            "https://www.ongo.com/auth/oauth2.0/v1/introspect"
        ],
        "iss": "jwt-bearer-client",
        "exp": 1606331802
        }

On this page