IG 2023.4

PrivateKeyJwtClientAuthenticationFilter

Supports client authentication with the private_key_jwt client-assertion, using an unencrypted JWT.

Clients send a signed JWT to the authorization server. IG builds and signs the JWT, and prepares the request as in the following example:

POST /token HTTP/1.1
Host: as.example.com
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&
code=...&
client_id=<clientregistration_id>&
client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&
client_assertion=PHNhbWxwOl ... ZT

Use this filter with an endpoint handler that requires authentication with the with the private_key_jwt client-assertion, using an unencrypted JWT. For example, the endpointHandler handler in the OAuth2TokenExchangeFilter.

Usage

{
  "name": string,
  "type": "PrivateKeyJwtClientAuthenticationFilter",
  "config": {
    "clientId": configuration expression<string>,
    "tokenEndpoint": configuration expression<url>,
    "secretsProvider": SecretsProvider reference,
    "signingSecretId": configuration expression<secret-id>,
    "signingAlgorithm": configuration expression<string>,
    "jwtExpirationTimeout": configuration expression<duration>,
    "claims": map or configuration expression<map>
  }
}

Configuration

"clientId": configuration expression<string>, required

The client_id obtained when registering with the authorization server.

"tokenEndpoint": configuration expression<url>, required

The URL to the authorization server’s OAuth 2.0 token endpoint.

"secretsProvider": SecretsProvider reference, required

The SecretsProvider to resolve queried secrets, such as passwords and cryptographic keys. For allowed formats, refer to SecretsProvider.

"signingSecretId": configuration expression<string>, required

Reference to the keys used to sign the JWT.

This secret ID must point to a CryptoKey.

"signingAlgorithm": configuration expression<string>, optional

The JSON Web Algorithm (JWA) used to sign the JWT, such as:

  • RS256: RSA using SHA-256

  • ES256: ECDSA with SHA-256 and NIST standard P-256 elliptic curve

  • ES384: ECDSA with SHA-384 and NIST standard P-384 elliptic curve

  • ES512: ECDSA with SHA-512 and NIST standard P-521 elliptic curve

Default: RS256

"jwtExpirationTimeout": configuration expression<duration>, optional

The duration for which the JWT is valid.

Default: 1 minute

"claims": map or configuration expression<map>, optional

A map of one or more data pairs with the format Map<String, Object>, where:

  • The key is the name of a claim used in authentication

  • The value is the value of the claim, or a configuration expression that evaluates to the value

The following formats are allowed:

{
  "args": {
    "string": "configuration expression<string>",
    ...
  }
}
{
  "args": "configuration expression<map>"
}

Default: Empty

Copyright © 2010-2023 ForgeRock, all rights reserved.