ConfirmationKeyVerifierAccessTokenResolver
Supported with AM 6.5.1 and later versions.
In OAuth2ResourceServerFilter, use the ConfirmationKeyVerifierAccessTokenResolver to verify that certificate-bound OAuth 2.0 bearer tokens presented by clients use the same mTLS-authenticated HTTP connection.
When a client obtains an access_token from AM by using mTLS, AM can optionally use a confirmation key to bind the access_token to a certificate. When the client connects to IG using that certificate, the ConfirmationKeyVerifierAccessTokenResolver verifies that the confirmation key corresponds to the certificate.
This proof-of-possession interaction ensures that only the client in possession of the key corresponding to the certificate can use the access_token to access protected resources.
To use the ConfirmationKeyVerifierAccessTokenResolver, the following configuration is required in AM:
-
OAuth 2.0 clients must be registered using an X.509 certificate, that is self-signed or signed in public key infrastructure (PKI)
-
The AM client authentication method must be
self_signed_client_auth
ortls_client_auth
. -
AM must be configured to bind a confirmation key to each client certificate.
The ConfirmationKeyVerifierAccessTokenResolver delegates the token resolution to a specified AccessTokenResolver, which retrieves the token information. The ConfirmationKeyVerifierAccessTokenResolver verifies the confirmation keys bound to the access_token, and then acts as follows:
-
If there is no confirmation key, pass the request down the chain.
-
If the confirmation key matches the client certificate, pass the request down the chain.
-
If the confirmation key doesn’t match the client certificate, throw an error.
-
If the confirmation key method is not supported by IG, throw an error.
For an example that uses the ConfirmationKeyVerifierAccessTokenResolver, see Validate Certificate-Bound Access Tokens.
For information about issuing certificate-bound OAuth 2.0 access_tokens, see Certificate-Bound Proof-of-Possession in AM’s OAuth 2.0 Guide. For information about authenticating an OAuth 2.0 client using mTLS certificates, see Authenticating Clients Using Mutual TLS in AM’s OAuth 2.0 Guide .
Usage
Use this resolver with the accessTokenResolver
property of
OAuth2ResourceServerFilter.
"accessTokenResolver": {
"type": "ConfirmationKeyVerifierAccessTokenResolver",
"config": {
"delegate": accessTokenResolver reference
}
}
Properties
"delegate"
: accessTokenResolver reference, required-
The access token resolver to use for resolving access_tokens. Use any access token resolver described in Access Token Resolvers.
Examples
For an example that uses the ConfirmationKeyVerifierAccessTokenResolver with the following route, see Validate Certificate-Bound Access Tokens.