Skip to main content
Skip table of contents

oAuth 2.0 with Private Key JWT Client Authenticaiton

It is possible for the Valsight application to authenticate with the authorization server by creating and singing a JWT using a private key which is sent to the authorization server with requests. The authorization server is provided the the public key to confirm the JWT has come from the application.

More information can be found here: Private Key JWT

Before starting the configuration of the Valsight application to perform this form of client authentication, ensure the authorization server accepts the ‘private_key_jwt' authentication type at its token endpoint. This can normally be confirmed by looking at the authorization server‘s '.well-known/openid-configuration’ endpoint.

Once confirmed you will be required to generate a private/public RSA key pair. The requirements for this are the RSA private key must be stored in the PKCS 8 format. One way to generate such a file is to use the library OpenSSL. First generate the certificate PEM file and private key in PKCS 1 format with the following command:

openssl req -x509 -newkey rsa:4096 -keyout privkeyPKCS1.pem -out cert.pem -sha256 -days 3650 -nodes

Next convert the private key to the PKCS 8 format and convert to the “key” file format with the following command:

openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in privKeyPKCS1.pem -out privKey.key

This private key should then be moved to a location that is accessible to the Valsight application, e.g. './conf/oidc/'.

The authorization server will then need to be configured to recognise this private key, e.g. by uploading the public key, but this may differ from provider to provider.

NOTE: If you need to generate a public key for your authorization server then use the following command with OpenSSL:

openssl x509 -pubkey -noout -in cert.pem > pubkey.pem

Next update the Valsight application’s config.yaml to use ‘private_key_jwt’ as the authentication method for the ‘openIdConnect’ client registration by adding the following configuration keys to the config.yaml if you have a pre-existing setting:

Configuration Key (….registration.openIdConnect →)


Value to Use


The type of client authentication to perform with the Authorization Server.




The path to the private key that is used to sign JWT tokens when using client authentication type ‘private_key_jwt’. The file that this path points to must be a RSA private key stored in a PKCS8 file.


Example: ./conf/oidc/privKey.key

The basic config.yaml configuration is shown below. Depending on your authorization server you may require further configuration. See for details on other available settings.

                        client-id: <ID OF YOUR CLIENT>
                        client-authentication-method: private_key_jwt
                        privateRSAKeyPath: <PATH TO PRIVATE KEY FILE>
                        scope: openid, <OTHER REQUIRED SCOPES>
                                    username: <CLAIM NAME>
                                    email: <CLAIM NAME>
                                    fullName: <CLAIM NAME>
                        issuer-uri: <ISSUER URL>
                        authorization-uri: <AUTHORIZATION URL>
                        token-uri: <TOKEN URL>
                        jwk-set-uri: <JWK SET URL>
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.