This documentation is for WSO2 Identity Server 5.3.0 . View documentation for the latest release.

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This section provides information on how you can use the Private Key JWT Client Authenticator with WSO2 Identity Server as an authentication method for clients to authenticate to the authorization server when using the token endpoint. This authentication mechanism allows clients to authenticate only if the client has a registered a public key and has signed a JWT using that key. 

...

The

...

The following topics walk you through the steps you need to follow to deploy and configure JWT client-handler artifacts so that you can use Private Key JWT Client Authenticator 1.0.1 with WSO2 Identity Server.

...

  • Maven 3.x

  • Java 1.7 or above

  • Download and install WSO2 Identity Server. For detailed information on how to install WSO2 Identity Server, see Installing the Product.

  • Set up the WSO2 OAuth 2.0 Playground sample. For instructions see, Setting Up the Sample Webapp.

Deploying and configuring JWT client-handler artifacts

...

  1. Download Private Key JWT Client Authenticator 1.0.1

  2. Copy the downloaded org.wso2.carbon.identity.oauth2.token.handler.clientauth.jwt-1.0.1.jar to the <IS_HOME>/repository/component/dropins directory.
  3. To register the JWT grant type, edit the <IS_HOME>/repository/conf/identity/identity.xml file and do the following:

    • Add the following configuration under the <OAuth><ClientAuthHandlers> element:

      Code Block
      languagexml
      <ClientAuthHandler Class="org.wso2.carbon.identity.oauth2.token.handler.clientauth.jwt.PrivateKeyJWTClientAuthHandler">
              <Property Name="RejectBeforePeriodInMinutes">60</Property>
      </ClientAuthHandler>
    • Under <SupportedGrantTypes>, update the authorization_code grant type configuration as follows to include the <GrantTypeValidatorImplClass>:

      Code Block
      <SupportedGrantType>
                      <GrantTypeName>authorization_code</GrantTypeName>
      <GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationCodeGrantHandler</GrantTypeHandlerImplClass>
      <GrantTypeValidatorImplClass>org.wso2.carbon.identity.oauth2.token.handler.clientauth.jwt.validator.grant.JWTAuthorizationCodeGrantValidator</GrantTypeValidatorImplClass>
      </SupportedGrantType>
    • Under <SupportedGrantTypes>, update the client_credentials grant type configuration as follows to include the <GrantTypeValidatorImplClass>:

      Code Block
      <SupportedGrantType>
                      <GrantTypeName>client_credentials</GrantTypeName>
      <GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.token.handlers.grant.ClientCredentialsGrantHandler</GrantTypeHandlerImplClass>
      <GrantTypeValidatorImplClass>org.wso2.carbon.identity.oauth2.token.handler.clientauth.jwt.validator.grant.JWTClientCredentialGrantValidator</GrantTypeValidatorImplClass>
      </SupportedGrantType>
  4. Create a new table in the identity datasource configured in the <IS_HOME>/repository/conf/identity/identity.xml file. Click the appropriate tab depending on your database to see the command to create the new table.

    Localtab Group
    Localtab
    activetrue
    titleh2.sql
    Code Block
    CREATE TABLE IF NOT EXISTS IDN_JWT_PRIVATE_KEY (JWT_ID VARCHAR(255), EXP_TIME TIMESTAMP DEFAULT 0,
    TIME_CREATED TIMESTAMP DEFAULT 0, PRIMARY KEY (JWT_ID));
    Localtab
    titlemysql.sql, mysql-5.7.sql, postgres.sql
    Code Block
    CREATE TABLE IF NOT EXISTS IDN_JWT_PRIVATE_KEY (JWT_ID VARCHAR(255), EXP_TIME TIMESTAMP DEFAULT 0,
    TIME_CREATED TIMESTAMP DEFAULT 0, PRIMARY KEY (JWT_ID));
    Localtab
    titledb2.sql
    Code Block
    CREATE TABLE IDN_JWT_PRIVATE_KEY (JWT_ID VARCHAR(255), EXP_TIME TIMESTAMP,
    TIME_CREATED TIMESTAMP, PRIMARY KEY (JWT_ID))
    Localtab
    titleoracle.sql, oracle-rac.sql
    Code Block
    CREATE TABLE IDN_JWT_PRIVATE_KEY (JWT_ID VARCHAR(255), EXP_TIME TIMESTAMP,
    TIME_CREATED TIMESTAMP, PRIMARY KEY (JWT_ID))
    Localtab
    titlemssql
    Code Block
    IF NOT  EXISTS (SELECT * FROM SYS.OBJECTS WHERE OBJECT_ID = OBJECT_ID(N'[DBO].[IDN_JWT_PRIVATE_KEY]') AND TYPE IN (N'U')) CREATE TABLE IDN_JWT_PRIVATE_KEY (JWT_ID VARCHAR(255), EXP_TIME DATETIME DEFAULT 0,
    TIME_CREATED DATETIME DEFAULT 0, PRIMARY KEY (JWT_ID));
  5.   Edit the <IS_HOME>/repository/conf/identity/identity.xml file and add the following cache name under <CacheManager name="IdentityApplicationManagementCacheManager"> in the <CacheConfig> section:

    Code Block
    <Cache name="PrivateKeyJWT" enable="true" timeout="10" capacity="5000" isDistributed="false"/>
  6. Start WSO2 Identity Server and access the management console via https://localhost:9443/carbon/.
  7. Follow the steps below to add a service provider:

    1. Navigate to the Main menu to access the Identity menu. Click Add under Service Providers.
    2. Specify the Service Provider Name and provide a brief Description of the service provider.
    3. Expand the OAuth/OpenID Connect Configuration under the Inbound Authentication Configuration section, and then click Configure
    4. Enter a callback url (For example, http://localhost:8080/playground2/oauth2client) and click Add. This displays the OAuth Client Key and  and OAuth Client Secret.
  8. Import Follow the steps below to import the public key of the private_key_jwt issuer.:

    1. Rename the public key certificate file of the private_key_jwt issuer with the OAuth Client Key that you obtained. Now when you view the keystore

    in the on
    1. via the management console, there should be a certificate with the

    client ID
    1. OAuth Client Key.

    2. Restart the WSO2 Identity Server and log in to the Server management console using admin/admin credentials.
    3. Navigate to the Manage menu and click List under Keystores.
    4. Import the certificate file to the default keystore in the <IS_HOME>/repository/conf/carbon.xml file.

      Note

      In a default WSO2 Identity Server distribution the keystore name is wso2carbon.jks.

  9. Use the following curl command to retrieve the access token and refresh token using a JWT.

    Note

    Be sure to replace <authorization-code> and <private_key_jwt> with appropriate values in the following curl command.


    Code Block
    curl -v POST -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -k -d 'client_id=<clientid>&grant_type=authorization_code&code=<authorization-code>&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=<private_key_jwt>&redirect_uri=http://localhost:8080/playground2/oauth2client" https://localhost:9443/oauth2/token