On a token request, a client crafts a digitally signed JWT assertion and includes it to the request. Then an authorization server authenticates the client by verifying the signature and payload of the assertion.
Authlete supports private_key_jwt as a client authentication method so that authorization servers can enable it. This article describes overview of the method and setup instructions with Authlete. private-key-jwt.png72.32 KB
Requirements for private_key_jwt
The following section describes details on both client and authorization server side.
Client
A client must include the following parameters in a token request when using the private_key_jwt method.
Parameter
Description
client_assertion_type
A type of client_assertion. Its value must be "urn:ietf:params:oauth:client-assertion-type:jwt-bearer".
client_assertion
A JWT that contains information for client authentication. It must be digitally signed using a private key. See below for details.
The value of client_assertion must satisfy the following requirements on its JWT payload and JWT signature. You can find an example JWT in the "Generating a JWT assertion" section.
Payload
A JWT assertion must contain the REQUIRED claims listed below.
Claim
Description
iss
[REQUIRED] Issuer. This must contain the client_id of the OAuth client.
sub
[REQUIRED] Subject. This must contain the client_id of the OAuth client.
aud
[REQUIRED] Audience. A value that identifies the authorization server as an intended audience. The authorization server must verify that it is an intended audience for the token. The audience should be the URL of the authorization server's token endpoint.
jti
[REQUIRED] JWT ID. A unique identifier for the token, which can be used to prevent reuse of the token. These tokens must only be used once unless conditions for reuse were negotiated between the parties; any such negotiation is beyond the scope of this specification.
exp
[REQUIRED] Expiration time on or after which the JWT must not be accepted for processing.
iat
[OPTIONAL] Time at which the JWT was issued.
Signature
A JWT assertion must be digitally signed using a private key in asymmetric cryptography (e.g. RS256).
A client using the authentication method has to register its public key to an authorization server in advance so that the server can verify the assertion.
Authorization server
An authorization server must process a token request as per the specifications listed below. The details are omitted here because you can offload these operations from your authorization server to Authlete.
This section explains settings for enabling the private_key_jwt method. You have to configure both Authlete service and its client to be authenticated with the method.
Authlete service
Configure the following setting in Service Owner Console.
Then, prepare a JWK set for signing and verification. Here we use mkjwk.org to generate a JWK set. image.png125.97 KB The examples below are ones generated using ES256 algorithm, and saved the public and private key pair as a file "key_pair.jwk".
Generate a JWT assertion including the payload and signed with the private key. The example below is an instruction using an authlete-jose library. Or you can use mkjose.org website to do that.
Authlete supports client_secret_jwt as a client authentication method so authorization servers can enable it. This article describes overview of the method and setup instructions with Authlete.
This article explains “OAuth 2.0 client authentication”. In addition to the client authentication methods described in RFC 6749, this article explains methods that utilize a client assertion and a client certificate.