JWT profile
The OAuth 2.0 client authenticates by sending a signed JSON Web Token (JWT) Bearer Token as described in RFC 7523, JWT Profile for OAuth 2.0 Client Authentication and Authorization Grants:
$ curl \
--request POST \
--data "client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer" \
--data "client_assertion=the-signed-JWT" \
…
Client configuration
The JWT issuer must digitally sign the JWT or apply a Message Authentication Code (MAC). When the client is the JWT issuer, it can sign the JWT with a private key.
To use this authentication method for a confidential OAuth 2.0 client, edit the client profile in the AM admin UI:
-
Go to Realms > Realm Name > Applications > OAuth 2.0 > Clients > Client ID > Advanced.
-
Add Grant Types:
JWT Bearer
. -
Set Token Endpoint Authentication Method to
private_key_jwt
. -
Save your work before switching tabs.
-
Update additional settings depending on the mechanism for signing the JWT.
AM must validate the JWT to authenticate the client.
Mechanism Settings Certificate-based
The client protects the JWT with public-private key cryptography with the public key in a digital certificate.
On the Signing and Encryption tab:
-
Set Client JWT Bearer Public Key to the PEM-format value of the JWT issuer’s public key, as in the following example:
-----BEGIN CERTIFICATE----- MIIDETCCAfmgAwIBAgIEU8SXLjANBgkqhkiG9w0BAQsFADA5MRswGQYDVQQKExJvcGVuYW0uZXhh bXBsZS5jb20xGjAYBgNVBAMTEWp3dC1iZWFyZXItY2xpZW50MB4XDTE0MTAyNzExNTY1NloXDTI0 ... TeGSgcqEAd6XlGXY1+M/yIeouUTi0F1bk1rNlqJvd57Xb4CEq17tVbGBm0hkECM8 -----END CERTIFICATE-----
-
Set Public key selector to
X509
.
A client can have only one public key.
HMAC secret
The client protects the JWT with a Hash-based Message Authentication Code (HMAC).
On the Core tab, reset the client secret to the HMAC secret.
The HMAC secret must contain at least 32 octets and sufficient entropy for a cryptographically strong key, as described in the Symmetric Key Entropy section of the OpenID Connect 1.0 specification.
A client can have only one HMAC secret.
JWK set in the client profile
The client protects the JWT with public-private key cryptography with the public key in a JSON Web Key (JWK).
On the Signing and Encryption tab:
-
Set Public key selector to
JWKs
. -
Paste the JWK set into the Json Web Key field.
The JWK set is similar to the following:
{ "keys": [ { "alg": "RSA-OAEP-256", "kty": "RSA", "use": "sig", "kid": "RemA6Gw0...LzsJ5zG3E=", "n": "AL4kjz74rDo3VQ3Wx...nhch4qJRGt2QnCF7M0", "e": "AQAB" } ] }
Enter a JWK set with multiple JWKs for certificate rotation.
JWK set in a URI
The client protects the JWT with public-private key cryptography with the public key in a JWK.
On the Signing and Encryption tab:
-
Set Public key selector to
JWKs_URI
. -
Paste the URI to the JWK set into the Json Web Key URI field.
-
-
Save your work.
Make sure all connections to AM use HTTPS to protect any secrets, including the JWT.
The JWT profile flow
The following sequence diagram shows a JWT profile authentication flow:
-
The client requests a JWT from the issuer.
Clients can generate their own JWTs. They can also delegate the task to a separate service in the deployment.
AM cannot generate JWTs for this purpose.
-
The issuer returns a signed JWT to the client.
-
The client POSTs the JWT and a client assertion type as parameters of an OAuth 2.0 request:
-
client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer
-
client_assertion=the-signed-JWT
-
-
AM validates the JWT using the public key from the client profile.
-
AM issues the response, such as an access token.
The JWT profile claims
The JWT Bearer Token must contain at least the following claims:
Claim | Description | ||
---|---|---|---|
|
The authorization server that is the intended audience of the JWT;
must be the AM token endpoint, such as
|
||
|
The expiration time. This must be at most 30 minutes in the future.
If not, AM returns a |
||
|
The unique identifier of the issuer that digitally signs the JWT:
|
||
|
A random, unique identifier for the JWT. Required if the client requests the |
||
|
The principal who is the subject of the JWT; must be the |
AM ignores keys specified in JWT headers, such as jku
and jwe
.
For additional details, refer to the section of RFC 7523 on JWT Format and Processing Requirements.
Sample JWT profile client
The AM code samples include a Java-based client to test the JWT token bearer flow.
For details, refer to How do I access and build the sample code provided for AM (All versions)? in the Knowledge Base.