Prerequisites to private_key_jwt
-
The authorization server enables client applications to use the private_key_jwt client authentication method.
-
The client is registered with the
private_key_jwt
method as thetoken
authentication method. -
A public and a private key pair set is prepared on the client-side.
-
The client’s public key is converted from the PEM format to a
jwks
(JSON Web Key Set)You can put your
jwks
on a server of your choice to enable usingjwks_uri
. -
jwks
orjwks_uri
public key is added to the authorization server in the client’s Oauth configuration.
Enable JWT-Based Client Authentication for Apps
Cloudentity comes with multi-tenant authorization server as a service.
Authenticating Clients Using private_key_jwt Method
-
The client prepares a JSON with the request data.
Example
{ "iss" : "YzEzMGdoMHJnOHBiOG1ibDhyNTA=", "sub" : "YzEzMGdoMHJnOHBiOG1ibDhyNTA=", "aud" : "https://localhost:8443/{tid}/{aid}/oauth2/authorize", "jti" : "1516235555", "exp" : "2021-05-17T07:09:48.000+0545" }
-
Prepared data is signed using the private key resulting in a JSON Web Token being created.
-
The client makes a request for an access token to the authorization server’s token endpoint including the following parameters:
parameter | value | type |
---|---|---|
client_assertion_type | urn:ietf:params:oauth:client-assertion-type:jwt-bearer |
Required |
client_assertion | Must contain a single JSON Web Token. | Required |
grant_type | Type of the grant used, for example, client_credentials |
Required |
Example request with extra line breaks added for display purposes:
curl --request
-F "grant_type=client_credentials"
-F "client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
-F "client_assertion=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.
eyJpc3N1ZXIiOiJZekV6TUdkb01ISm5PSEJpT0cxaWJEaHlOVEE9Iiwic3ViamVjdCI6Ill6RXpN
R2RvTUhKbk9IQmlPRzFpYkRoeU5UQT0iLCJzY29wZSI6ImludHJvc2NwZWN0X3Rva2VucywgcmV2
b2tlX3Rva2VucyIsImF1ZCI6Imh0dHBzOi8vbG9jYWxob3N0Ojg0NDMve3RpZH0ve2FpZH0vb2F1
dGgyL2F1dGhvcml6ZSIsImp3dElEIjoiMTUxNjIzOTAyMiIsImV4cGlyYXRpb25UaW1lIjoiMjAy
MS0wNS0xN1QwNzowOTo0OC4wMDArMDU0NSJ9.
PkkBvc1oPLdSXCqKdf5r2-is51CFvLVbdM9GYmzRvGqnxFK7MyKgSEqA0wZzC0rc8q7TAx2AwpFQ
E-Ea1MKQEW1qViyl2MwUcbg8QHN1dSZez_eMpmQiQUiIuZKJYbrjlbKypXPCGcTL8YVkDrA2F6ny
El1BpVvT8s-yeQX7VpfiKcKHApF0d_jnDizGCpwxnsSlobgjXRftMKoeyChKnF3y-KI33LrcP3n-
Mvr9Y12vN39PV4JTzcBSqU4g8rjDtPt2Z1swXjEO4X6DQmso5L09a_Wb7vf9umaOJfP3luye7Uyj
4fMTCNchZu0pFxq98-Dq13rdiXHOGsV0f0SkJw" POST \
--url <https://localhost:8443/{tid}/{aid}/oauth2/token> \
--header 'accept: application/x-www-form-urlencoded'
-
The authorization server generates an access token and provides it to the client after a successful request validation.
The authorization server can extract the client’s assertion and verify it using the public key.
Result
The client is authenticated using the
private_key_jwt
flow.
When To Use private_key_jwt
In general, client authentication using the private_key_jwt
method should be used by companies
that need to use secure client authentication flows. This may be the case, for example,
for businesses that must comply with the Financial-Grade API (FAPI) standards.
Standards Used in JWT Based Client Authentication
The authorization server processes requests for client authentication using the following standards: