This documentation is for WSO2 Identity Server 5.3.0 . View documentation for the latest release.
||
Skip to end of metadata
Go to start of metadata

This section provides information on how you can use the Private Key JWT Client Authenticator with WSO2 Identity Server as an authentication method for clients to authenticate to the authorization server when using the token endpoint. This authentication mechanism allows clients to authenticate only if the client has a registered a public key and has signed a JWT using that key. 

The following topics walk you through the steps you need to follow to deploy and configure JWT client-handler artifacts so that you can use Private Key JWT Client Authenticator 1.0.1 with WSO2 Identity Server.

Pre-requisites

  • Maven 3.x

  • Java 1.7 or above

  • Download and install WSO2 Identity Server. For detailed information on how to install WSO2 Identity Server, see Installing the Product.

Deploying and configuring JWT client-handler artifacts

Follow the instructions below to deploy and configure JWT client-handler artifacts.

  1. Download Private Key JWT Client Authenticator 1.0.1

  2. Copy the downloaded org.wso2.carbon.identity.oauth2.token.handler.clientauth.jwt-1.0.1.jar to the <IS_HOME>/repository/component/dropins directory.
  3. To register the JWT grant type, edit the <IS_HOME>/repository/conf/identity/identity.xml file and do the following:

    • Add the following configuration under the <OAuth><ClientAuthHandlers> element:

      <ClientAuthHandler Class="org.wso2.carbon.identity.oauth2.token.handler.clientauth.jwt.PrivateKeyJWTClientAuthHandler">
              <Property Name="RejectBeforePeriodInMinutes">60</Property>
      </ClientAuthHandler>
    • Under <SupportedGrantTypes>, update the authorization_code grant type configuration as follows to include the <GrantTypeValidatorImplClass>:

      <SupportedGrantType>
                      <GrantTypeName>authorization_code</GrantTypeName>
      <GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationCodeGrantHandler</GrantTypeHandlerImplClass>
      <GrantTypeValidatorImplClass>org.wso2.carbon.identity.oauth2.token.handler.clientauth.jwt.validator.grant.JWTAuthorizationCodeGrantValidator</GrantTypeValidatorImplClass>
      </SupportedGrantType>
    • Under <SupportedGrantTypes>, update the client_credentials grant type configuration as follows to include the <GrantTypeValidatorImplClass>:

      <SupportedGrantType>
                      <GrantTypeName>client_credentials</GrantTypeName>
      <GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.token.handlers.grant.ClientCredentialsGrantHandler</GrantTypeHandlerImplClass>
      <GrantTypeValidatorImplClass>org.wso2.carbon.identity.oauth2.token.handler.clientauth.jwt.validator.grant.JWTClientCredentialGrantValidator</GrantTypeValidatorImplClass>
      </SupportedGrantType>
  4. Create a new table in identity datasource configured in the <IS_HOME>/repository/conf/identity/identity.xml file. Click the appropriate tab depending on your database to see the command to create the new table.

    CREATE TABLE IF NOT EXISTS IDN_JWT_PRIVATE_KEY (JWT_ID VARCHAR(255), EXP_TIME TIMESTAMP DEFAULT 0,
    TIME_CREATED TIMESTAMP DEFAULT 0, PRIMARY KEY (JWT_ID));
    CREATE TABLE IF NOT EXISTS IDN_JWT_PRIVATE_KEY (JWT_ID VARCHAR(255), EXP_TIME TIMESTAMP DEFAULT 0,
    TIME_CREATED TIMESTAMP DEFAULT 0, PRIMARY KEY (JWT_ID));
    CREATE TABLE IDN_JWT_PRIVATE_KEY (JWT_ID VARCHAR(255), EXP_TIME TIMESTAMP,
    TIME_CREATED TIMESTAMP, PRIMARY KEY (JWT_ID))
    CREATE TABLE IDN_JWT_PRIVATE_KEY (JWT_ID VARCHAR(255), EXP_TIME TIMESTAMP,
    TIME_CREATED TIMESTAMP, PRIMARY KEY (JWT_ID))
    IF NOT  EXISTS (SELECT * FROM SYS.OBJECTS WHERE OBJECT_ID = OBJECT_ID(N'[DBO].[IDN_JWT_PRIVATE_KEY]') AND TYPE IN (N'U')) CREATE TABLE IDN_JWT_PRIVATE_KEY (JWT_ID VARCHAR(255), EXP_TIME DATETIME DEFAULT 0,
    TIME_CREATED DATETIME DEFAULT 0, PRIMARY KEY (JWT_ID));
  5.   Edit the <IS_HOME>/repository/conf/identity/identity.xml file and add the following cache name under <CacheManager name="IdentityApplicationManagementCacheManager"> in the <CacheConfig> section:

    <Cache name="PrivateKeyJWT" enable="true" timeout="10" capacity="5000" isDistributed="false"/>
  6. Start WSO2 Identity Server and access the management console via https://localhost:9443/carbon/.
  7. Follow the steps below to add a service provider:

    1. Navigate to the Main menu to access the Identity menu. Click Add under Service Providers.
    2. Specify the Service Provider Name and provide a brief Description of the service provider.
    3. Expand the OAuth/OpenID Connect Configuration under the Inbound Authentication Configuration section, and then click Configure
    4. Enter a callback url (For example, http://localhost:8080/playground2/oauth2client) and click Add. This displays the OAuth Client Key and OAuth Client Secret.
  8. Follow the steps below to import the public key of the private_key_jwt issuer:

    1. Rename the public key certificate file of the private_key_jwt issuer with the OAuth Client Key that you obtained. Now when you view the keystore via the management console, you should see a certificate with your OAuth Client Key.

    2. Restart the WSO2 Identity Server and log in to the Server management console using admin/admin credentials.
    3. Navigate to the Manage menu and click List under Keystores.
    4. Import the certificate file to the default keystore in the <IS_HOME>/repository/conf/carbon.xml file.

      In a default WSO2 Identity Server distribution the keystore name is wso2carbon.jks.

  9. Use the following curl command to retrieve the access token and refresh token using a JWT.

    Be sure to replace <authorization-code> and <private_key_jwt> with appropriate values in the following curl command.

    curl -v POST -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -k -d "client_id=<clientid>&grant_type=authorization_code&code=<authorization-code>&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=<private_key_jwt>&redirect_uri=http://localhost:8080/playground2/oauth2client" https://localhost:9443/oauth2/token
  • No labels