Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-10309

Support OAuth2 "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" assertion type


    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Cannot Reproduce
    • Affects Version/s: 13.0.0, 13.5.0, 14.0.0
    • Fix Version/s: None
    • Component/s: oauth2, OpenID Connect
    • Labels:


      Before I reported multiple BUG in OPENAM-9406 and the NPE has been fixed and new OPENAM-9971 has been raised which haven't been fixed. That fix prevent OpenAM to allow JWT for OAuth2 client authentication.

      First of all OPENAM-10282 type prevents OpenAM to be configured to use the RSA or ECDSA key. Simple type but haven't been fixed.
      If the agent is configured to us its own keyset to verify the JWT for client authentication and it's successful the token introspection call by accident use the very same keyset to verify the token which was issued by OpenAM and use the OAuth2 Provider Setting to sign the OpenAM issued token. Obviously if OpenAM issue the token the OpenAM keyset should be used for verification and if the Client issue a token the client keyset should be used. The attached patch fixes this problem.

      The IoT word would require individually authenticate each device and store their key. Obviously a requirement for supporting properly the PoP Token and not like AME-11953. The attached fix contains the patch that allows to use Subject to map their attributes with OAuth2 Agents. This was we can create 10M user subjects and match them to a handful of OAuth2 client profiles and overwrite the necessary attributes. The given patch has been tested to authenticate with OAuth2 client with JWT, issue token using the standard flow and introspect the token in same way. Using the Device Flow and pair devices and retrieve token the same way. no client_id/client_secret used at all.

      The patch has been tested with OpenAM 14.0.0-SNAPSHOT as is now.


          Issue Links



              • Assignee:
                phillcunnington Phill Cunnington
                laszlo Laszlo Hordos
              • Votes:
                3 Vote for this issue
                6 Start watching this issue


                • Created: