oAuth 2.0 with Private Key JWT Client Authenticaiton
It is possible for the Valsight application to authenticate with the authorization server by creating and singing a JWT using a private key which is sent to the authorization server with requests. The authorization server is provided the the public key to confirm the JWT has come from the application.
More information can be found here: Private Key JWT
Before starting the configuration of the Valsight application to perform this form of client authentication, ensure the authorization server accepts the ‘private_key_jwt
' authentication type at its token endpoint. This can normally be confirmed by looking at the authorization server‘s '.well-known/openid-configuration’ endpoint.
Once confirmed you will be required to generate a private/public RSA key pair. The requirements for this are the RSA private key must be stored in the PKCS 8 format. One way to generate such a file is to use the library OpenSSL. First generate the certificate PEM file and private key in PKCS 1 format with the following command:
openssl req -x509 -newkey rsa:4096 -keyout privkeyPKCS1.pem -out cert.pem -sha256 -days 3650 -nodes
Next convert the private key to the PKCS 8 format and convert to the “key” file format with the following command:
openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in privKeyPKCS1.pem -out privKey.key
This private key should then be moved to a location that is accessible to the Valsight application, e.g. './conf/oidc/
'.
The authorization server will then need to be configured to recognise this private key, e.g. by uploading the public key, but this may differ from provider to provider.
NOTE: If you need to generate a public key for your authorization server then use the following command with OpenSSL:
openssl x509 -pubkey -noout -in cert.pem > pubkey.pem
Next update the Valsight application’s config.yaml to use ‘private_key_jwt’ as the authentication method for the ‘openIdConnect’ client registration by adding the following configuration keys to the config.yaml if you have a pre-existing setting:
Configuration Key (….registration.openIdConnect →) | Description | Value to Use |
---|---|---|
client-authentication-method | The type of client authentication to perform with the Authorization Server.
| client_secret_basic |
privateRSAKeyPath | The path to the private key that is used to sign JWT tokens when using client authentication type ‘private_key_jwt’. The file that this path points to must be a RSA private key stored in a PKCS8 file. | <PATH TO PRIVATE KEY FILE> Example: ./conf/oidc/privKey.key |
The basic config.yaml configuration is shown below. Depending on your authorization server you may require further configuration. See OpenID Connect Configuration for details on other available settings.
spring:
security:
oauth2:
client:
registration:
openIdConnect:
client-id: <ID OF YOUR CLIENT>
client-authentication-method: private_key_jwt
privateRSAKeyPath: <PATH TO PRIVATE KEY FILE>
scope: openid, <OTHER REQUIRED SCOPES>
valsightOpenIdConnectProperties:
userProfileMapping:
username: <CLAIM NAME>
email: <CLAIM NAME>
fullName: <CLAIM NAME>
provider:
openIdConnect:
issuer-uri: <ISSUER URL>
authorization-uri: <AUTHORIZATION URL>
token-uri: <TOKEN URL>
jwk-set-uri: <JWK SET URL>