Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-16766

OAuth2 client authentication using JWT profiles is incomplete

    XMLWordPrintable

    Details

    • Rank:
      1|i021u7:
    • No
    • No
    • No
    • No (add reasons in the comment)

      Description

      Bug description

      There are parts missing from the documentation step-by-step and customers are finding it difficult to get this working.

      We mention what the client_assertion JWT should contain 

      We don't mention that we need to:

      • set Token Endpoint Authentication Method to private_key_jwt (this seems to work for both symmetric and asymmetric algorithms set in Token Endpoint Authentication Signing Algorithm)
      • set Token Endpoint Authentication Signing Algorithm accordingly, depending on how the client_assertion is signed

      IF using a public/private key pair, we also need to mention the need to set Public Key Selector appropriately (it's not always Client JWT Bearer Public Key):

      • If verifying using a certificate, set it to X509 and set certificate in Client JWT Bearer Public Key
      • If set to JWKs URI, add the URI to Json Web Key URI
      • If set to JWKs, add JWK set to Json Web Key

      IF using HS256, JWT needs to be signed by the client_secret I believe (like client_secret_jwt in the spec) so we should mention this.

      If we could also provide some full example requests/responses, that would help too.

        Attachments

          Activity

            People

            cristina.herraz Cristina Herraz [X] (Inactive)
            aaron.haskins Aaron Haskins
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: