PrivateKeyJwtClientAuthenticationFilter
Supports client authentication with the private_key_jwt
client-assertion,
using an unencrypted JWT.
Clients send a signed JWT to the Authorization Server. IG builds and signs the JWT, and prepares the request as in the following example:
POST /token HTTP/1.1
Host: as.example.com
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&
code=...&
client_id=<clientregistration_id>&
client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&
client_assertion=PHNhbWxwOl ... ZT
Use this filter with an endpoint handler that requires authentication with the
with the private_key_jwt
client-assertion, using an unencrypted JWT. For
example, the endpointHandler
handler in the
OAuth2TokenExchangeFilter.
Usage
{
"name": string,
"type": "PrivateKeyJwtClientAuthenticationFilter",
"config": {
"clientId": configuration expression<string>,
"tokenEndpoint": configuration expression<url>,
"secretsProvider": SecretsProvider reference,
"signingSecretId": configuration expression<secret-id>,
"signingAlgorithm": configuration expression<string>,
"jwtExpirationTimeout": configuration expression<duration>,
"claims": map or configuration expression<map>
}
}
Configuration
"clientId"
: configuration expression<string>, required-
The
client_id
obtained when registering with the Authorization Server. "tokenEndpoint"
: configuration expression<url>, required-
The URL to the Authorization Server’s OAuth 2.0 token endpoint.
"secretsProvider"
: SecretsProvider reference, required-
The SecretsProvider to resolve queried secrets, such as passwords and cryptographic keys. For allowed formats, refer to SecretsProvider.
"signingSecretId"
: configuration expression<string>, required-
Reference to the keys used to sign the JWT.
This secret ID must point to a CryptoKey.
"signingAlgorithm"
: configuration expression<string>, optional-
The JSON Web Algorithm (JWA) used to sign the JWT, such as:
-
RS256
: RSA using SHA-256 -
ES256
: ECDSA with SHA-256 and NIST standard P-256 elliptic curve -
ES384
: ECDSA with SHA-384 and NIST standard P-384 elliptic curve -
ES512
: ECDSA with SHA-512 and NIST standard P-521 elliptic curve
Default:
RS256
-
"jwtExpirationTimeout"
: configuration expression<duration>, optional-
The duration for which the JWT is valid.
Default: 1 minute
"claims"
: map or configuration expression<map>, optional-
A map of one or more data pairs with the format
Map<String, Object>
, where:-
The key is the name of a claim used in authentication
-
The value is the value of the claim, or a configuration expression that evaluates to the value
The following formats are allowed:
{ "args": { "string": "configuration expression<string>", ... } }
{ "args": "configuration expression<map>" }
Default: Empty
-