EncryptedPrivateKeyJwtClientAuthenticationFilter
Supports client authentication with the private_key_jwt
client-assertion,
using a signed and encrypted JWT.
Clients send a signed and encrypted JWT to the authorization server. IG builds, signs and encrypts the JWT, and prepares the request as in the following example:
POST /token HTTP/1.1
Host: as.example.com
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&
code=...&
client_id=<clientregistration_id>&
client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&
client_assertion=PHNhbWxwOl ... ZT
Use this filter with an endpoint Handler
that requires authentication with the
private_key_jwt
client-assertion, using an encrypted JWT. For example, the
endpointHandler
handler in the
OAuth2TokenExchangeFilter.
Usage
{
"name": string,
"type": "EncryptedPrivateKeyJwtClientAuthenticationFilter",
"config": {
"encryptionAlgorithm": configuration expression<enumeration>,
"encryptionMethod": configuration expression<string>,
"encryptionSecretId": configuration expression<secret-id>,
"clientId": configuration expression<string>,
"tokenEndpoint": configuration expression<url>,
"secretsProvider": SecretsProvider reference,
"signingSecretId": configuration expression<string>,
"signingAlgorithm": configuration expression<string>,
"jwtExpirationTimeout": configuration expression<duration>,
"claims": map
}
}
Configuration
"encryptionAlgorithm"
: configuration expression<string>, required-
The algorithm name used for encryption and decryption. Use algorithm names from Java Security Standard Algorithm Names.
"encryptionMethod"
: configuration expression<string>, optional-
The algorithm method to use for encryption. Use algorithms from RFC 7518, section-5.1.
"encryptionSecretId"
: configuration expression<secret-id>, required-
The secret-id of the keys used to encrypt the JWT.
"clientId"
: configuration expression<string>, required-
The
client_id
obtained when registering with the authorization server. "tokenEndpoint"
: configuration expression<url>, required-
The URL to the authorization server’s OAuth 2.0 token endpoint.
"secretsProvider"
: SecretsProvider reference, required-
The SecretsProvider to resolve queried secrets, such as passwords and cryptographic keys. For allowed formats, see SecretsProvider.
"signingSecretId"
: configuration expression<string>, required-
Reference to the keys used to sign the JWT.
"signingAlgorithm"
: configuration expression<string>, optional-
The JSON Web Algorithm (JWA) used to sign the JWT, such as:
-
RS256
: RSA using SHA-256 -
ES256
: ECDSA with SHA-256 and NIST standard P-256 elliptic curve -
ES384
: ECDSA with SHA-384 and NIST standard P-384 elliptic curve -
ES512
: ECDSA with SHA-512 and NIST standard P-521 elliptic curve
Default:
RS256
-
"jwtExpirationTimeout"
: configuration expression<duration>, optional-
The duration for which the JWT is valid.
Default: 1 minute
"claims"
: map, optional-
The claims used in the authentication.
The map can be structured as follows:
-
As a configuration expression of a map, where the evaluation is an object of type
Map<String, Object>
. -
As a map whose key is a string, and whose values are configuration expressions.
Default: Empty
-