OAuth 2.0/OIDC client authentication
Private Key JWT is an optional client authentication method of the OIDC specification OpenID Connect Core 1.0. It allows clients to authenticate with a signed JWT when calling protected endpoints of the authorization server such as the /token and /par endpoints.
Private Key JWT is part of the FAPI 2.0 Security Profile and provides increased security.
Airlock IAM, as an AS/OP, supports several mechanisms for authenticating static clients:
Method | Description |
|---|---|
Client secret | The authentication with client_id and client_secret is the weakest form of authentication and corresponds to username/password authentication. It supports basic auth (client_secret_basic) and parameter authentication (client_secret_post). This method is only suitable for confidential clients. See RFC 6749: The OAuth 2.0 Authorization Framework for details. |
X.509 certificate (mTLS) | The AS/OP verifies the subject and issuer DN of the presented certificate (tls_client_certificate_bound_access_tokens). This authentication method relies on a service verifying the integrity and validity of the certificate and a chain to a trusted root certificate. |
Private Key JWT | The private_key_jwt mechanism verifies the client with either a configured public key or a JWKS URL where the public key can be obtained. |
Authentication support for dynamically registered clients is limited to client_secret and X.509 certificates.
Database storage of private_key_jwt
The authorization server persists all private_key_jwt to protect against replay attacks. This requires a database table called OATH2_ACCEPTED_CLIENT_ASSERTIONS in the database.
Migration from IAM 8.2 or older
To use private_key_jwt a database migration is required to add the new table.
To migrate the database schema from IAM 8.2 or older, use the migration scripts provided in Relational databases for IAM.