OAuth 2.0/OIDC client authentication

Private Key JWT is an optional client authentication method of the OIDC specification OpenID Connect Core 1.0. It allows clients to authenticate with a signed JWT when calling protected endpoints of the authorization server such as the /token and /par endpoints.

Private Key JWT is part of the FAPI 2.0 Security Profile and provides increased security.

Airlock IAM, as an AS/OP, supports several mechanisms for authenticating static clients:

Method

Description

Client secret

The authentication with client_id and client_secret is the weakest form of authentication and corresponds to username/password authentication.

It supports basic auth (client_secret_basic) and parameter authentication (client_secret_post).

This method is only suitable for confidential clients. See RFC 6749: The OAuth 2.0 Authorization Framework for details.

X.509 certificate (mTLS)

The AS/OP verifies the subject and issuer DN of the presented certificate (tls_client_certificate_bound_access_tokens).

This authentication method relies on a service verifying the integrity and validity of the certificate and a chain to a trusted root certificate.

Private Key JWT

The private_key_jwt mechanism verifies the client with either a configured public key or a JWKS URL where the public key can be obtained.

Authentication support for dynamically registered clients is limited to client_secret and X.509 certificates.

Database storage of private_key_jwt

The authorization server persists all private_key_jwt to protect against replay attacks. This requires a database table called OATH2_ACCEPTED_CLIENT_ASSERTIONS in the database.

Migration from IAM 8.2 or older

To use private_key_jwt a database migration is required to add the new table.

To migrate the database schema from IAM 8.2 or older, use the migration scripts provided in Relational databases for IAM.