[OPENIG-1412] RFE: Support private_key_jwt for client authentication to OIDC token endpoint Created: 26/Oct/16  Updated: 24/Oct/17  Resolved: 27/Mar/17

Status: Closed
Project: Identity Gateway
Component/s: None
Affects Version/s: 4.5.0
Fix Version/s: 5.5.0

Type: Improvement Priority: Major
Reporter: Andrew Dunn [X] (Inactive) Assignee: Violette Roche Montane
Resolution: Fixed Votes: 0
Labels: 5.5-Candidate, CustomerRFE, release-notes
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
depends on OPENAM-10309 Support OAuth2 "urn:ietf:params:oauth... Closed
is required by OPENIG-1694 Doc: Support private_key_jwt for clie... Closed
is required by OPENIG-1713 private_key_jwt must support a KeyStore Closed
Relates
relates to OPENIG-1624 OpenID Connect: support RFC set of au... Closed
is related to OPENIG-550 Default Token Endpoint Authentication... Closed
Support Ticket IDs:
Sprint: OpenIG Sprint 97, OpenIG Sprint 98, OpenIG Sprint 99, OpenIG Sprint 100, OpenIG Sprint 101

 Description   

OpenIG's ClientRegistration class appears to support client_secret_basic or client_secret_post to authenticate to the OIDC token endpoint.
It's requested that private_key_jwt is also supported.

http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication



 Comments   
Comment by Violette Roche Montane [ 19/Jan/17 ]

See also https://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-12

Comment by Violette Roche Montane [ 25/Jan/17 ]

It is pretty hard to find a provider to test the new implementation. Any ideas are welcome.

Note that salesforce does support the private_key_jwt authentication but their implementation does not respect the OIDC RFC. For further info, see salesforce documentation.
They use

grant_type= urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=eyJpc3MiOiAiM01WRz...[omitted for brevity]...ZT

instead of:

client_id=s6BhdRkqt3&
client_assertion_type=
urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&
client_assertion=PHNhbWxwOl ... ZT

as specified in the RFC.

Comment by Jean-Charles Deville [ 24/Oct/17 ]

Closed after 5.5.0-release

Generated at Wed Nov 25 05:12:09 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.