/
Private Key JWT Client Authentication for OIDC

This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Private Key JWT Client Authentication for OIDC

Oct 21, 2019

This section introduces you to Private Key JWT Client Authentication for OIDC and describes how this method is used by clients when authenticating to the authorization server. 

Pre-requisites

Introduction

Private Key JWT Client Authentication is an authentication method that can be used by clients to authenticate to the authorization server when using the token endpoint. In this authentication mechanism, only the clients that have registered a public key, signed a JWT using that key, can authenticate. 

The JWT must contain some REQUIRED claim values and may contain some OPTIONAL claim values. For more information on the required and optional claim values needed for the JWT for private_key_jwt authentication, click here .

The authentication token must be sent as the value of the client_assertion parameter. The value of the client_assertion_type parameter MUST be "urn:ietf:params:oauth:client-assertion-type:jwt-bearer".

 

Deploying and configuring JWT client-handler artifacts

Follow the instructions below to deploy and configure JWT client-handler artifacts.

  1. Download the Private Key JWT Client Authenticator.

  2. Copy the downloaded org.wso2.carbon.identity.oauth2.token.handler.clientauth.jwt-x.x.x.jar to the <IS_HOME>/repository/component/dropins directory.

  3. To register the JWT grant type, configure the <IS_HOME>/repository/conf/identity/identity.xml file by adding a new entry under the <EventListeners> element. Add a unique <EventListener> identifier as shown below.

    <EventListener type="org.wso2.carbon.identity.core.handler.AbstractIdentityHandler" name="org.wso2.carbon.identity.oauth2.token.handler.clientauth.jwt.PrivateKeyJWTClientAuthenticator" orderId="899" enable="true"> <Property name="preventTokenReuse">true</Property> <Property name="RejectBeforeInMinutes">100</Property> <Property name="TokenEndPointAlias">sample url</Property> </EventListener>

    The following table lists the optional properties that can be added to the identity.xml file:

  4. Do the cache configuration in <IS_HOME>/repository/conf/identity/identity.xml as shown below: 

    <CacheConfig> <CacheManager name="IdentityApplicationManagementCacheManager"> …. <Cache name="PrivateKeyJWT" enable="true" timeout="10" capacity="5000" isDistributed="false"/> </CacheManager> </CacheConfig>

  5. Restart the server.

  6. Log in to Management Console and Add the service provider

  7. Expand the OAuth/OpenID Connect Configuration under Inbound Authentication section and click Configure

  8. Enter a callback url (ex:  http://localhost:8080/playground2/oauth2client ) and click Add. (The OAuth Client Key and OAuth Client Secret will now be visible.)

  9. Import the public key of the private_key_jwt issuer by executing the following commands. (one after the other)

    keytool -importkeystore -srckeystore TodayApp.jks -destkeystore TodayApp.p12 -deststoretype PKCS12
    openssl pkcs12 -in TodayApp.p12 -nokeys -out pubcert.pem

  10. Rename the public key certificate file of the private_key_jwt issuer, with the ClientID  (mentioned as 'alias' below) of the above auth app. 

    keytool -export -alias nwU59qy9AsDqftmwLcfmkvOhvuYa -file nwU59qy9AsDqftmwLcfmkvOhvuYa -keystore TodayApp.jkskeytool -genkey -alias nwU59qy9AsDqftmwLcfmkvOhvuYa -keyalg RSA -keystore TodayApp.jks

  11. Log in to the Identity Server management console with admin credentials.

  12. Click List under Keystores which is under Manage menu.

  13. Import the above cert (Click Import Cert under Actions) in to the default key store defined in <IS_HOME>/repository/conf/carbon.xml. (In a default pack, keystore name is wso2carbon.jks)

    When you view the keystore in the same UI (using View), there should be a certificate with clientID as below:

  14. Use the below cURL to retrieve the access token and refresh token using a JWT.

    For Authz_code grant type

    curl -v POST -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -k -d "grant_type=authorization_code&code=f2d0f7dd-df6d-34ac-9d61-851f4f0cab9f&scope=openid&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=<jwt_assertion>&redirect_uri=http://localhost:8080/playground2/oauth2client" https://localhost:9443/oauth2/token


    For client credential grant type:

    curl -v POST -H "Content-Type: application/x-www-form-urlencoded;charset=ISO-8859-1" -k -d "grant_type=client_credentials&scope=openid&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=<jwt_assertion>&redirect_uri=http://localhost:8080/playground2/oauth2client" https://localhost:9443/oauth2/token