Client authentication methods

In the context of OAuth 2.0 confidential clients have to authenticate with the authorization server when making requests to the token endpoint. According to RFC6749, if the client type is confidential, the client and authorization server establish a client authentication method suitable for the security requirements of the authorization server. The authorization server MAY accept any form of client authentication meeting its security requirements.

How does this work?

OneWelcome supports multiple ways of authenticating oauth2 clients, compliant with RFC specification, such as:

client_secret_post
client_id and client_secret has to be sent as form data
Client_secret_basic
client_id and client_secret has to be sent as authorization basic header.
none
This option has to be set for public clients, where no authentication is needed
private_key_jwt
requires the client to generate a private&public key pair.

How does private key JWT client authentication works?

In order to use this client authentication method, RP has to generate a private and a public key, and configure the public key on the oauth2 client. For requests to token API, RP has to generate a JWT token which is signed with the private key, and the JWT token created has to contain a set of mandatory claims.

Example of generating public and private key:

Run in terminal the following commands:

Bash
    
 
1. keytool -genkey -alias <yourOauth2ClientName> -keyalg RSA -keystore TodayApp.jks2. keytool -export -alias <yourOauth2ClientName> -file nwU59qy9AsDqftmwLcfmkvOhvuYa -keystore TodayApp.jks3. keytool -importkeystore -srckeystore TodayApp.jks -destkeystore TodayApp.p12 -deststoretype PKCS124. openssl pkcs12 -in TodayApp.p12 -nokeys -out pubcert.pem5. openssl pkcs12 -in TodayApp.p12 -nodes -nocerts -out privatekey.pem
Copy

Example of token request using private key jwt:

Bash
    
 
curl --request POST \  --url https://www.ongo.com/bikes/auth/oauth2.0/v1/token \  --header 'content-type: application/x-www-form-urlencoded' \  --data grant_type=refresh_token \  --data refresh_token=dcde74ce-3fe1-4b12-b5d2-9e7dbeaab51b \  --data client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer \  --data client_assertion=<YOUR GENERATED JWT>
Copy

The optional and mandatory claims the generated JWT needs to have, are below:

	Value	Description
	iss	REQUIRED. Issuer. This MUST contain the client_id of the OAuth Client.
	sub	REQUIRED. Subject. This MUST contain the client_id of the OAuth Client.
	aud	REQUIRED. Audience. The aud (audience) Claim. Value that identifies the Authorization Server as an intended audience. The Authorization Server MUST verify that it is an intended audience for the token. The Audience SHOULD be the URL of the Authorization Server's Token Endpoint.
	exp	REQUIRED. Expiration time on or after which the ID Token MUST NOT be accepted for processing.
	iat	OPTIONAL. Time at which the JWT was issued.

An example of a decoded JWT payload can be seen below:

JSON
    
 
{    "sub": "jwt-bearer-client",    "aud": [        "https://www.ongo.com/auth/oauth2.0/v1/access_token",        "https://www.ongo.com/auth/oauth2.0/v1/revoke",        "https://www.ongo.com/auth/oauth2.0/v1/introspect"    ],    "iss": "jwt-bearer-client",    "exp": 1606331802    }
Copy

Last updated by Stein Welberg on Jul 18, 2022

Was this page helpful?