Skip to content

Creating authorization endpoint with signed request object

duttarnab edited this page Apr 28, 2021 · 2 revisions

Generating client-jwks

To signed/encyrpted request object on the client-side we need to generate client-jwks. In oxd we are using org.gluu.oxauth.model.crypto.OxAuthCryptoProvider (from oxauth) to generate jwks.

  1. Create an instance of OxAuthCryptoProvider providing Keystore-Path, Keystore-password, and CryptProvider-dn-name (any appropriate dn) as parameters.
this.cryptoProvider = new OxAuthCryptoProvider(configuration.getCryptProviderKeyStorePath(), configuration.getCryptProviderKeyStorePassword(), configuration.getCryptProviderDnName());
  1. Later generating keys using generateKey method of OxAuthCryptoProvider
JSONObject result = this.cryptoProvider.generateKey(algorithm, calendar.getTimeInMillis(), Use.SIGNATURE);

Please follow https://github.com/GluuFederation/oxd/blob/master/oxd-server/src/main/java/org/gluu/oxd/server/service/KeyGeneratorService.java for details

OIDC Client

In registered OIDC client (on oxtrust) add the following fields in Encryption/signing settings tab and save:

  1. JWS alg Algorithm for signing Request Objects - define the algorithm to sign the request object.
  2. JWKS - Define client-jwks in this field.

Sign parameters of the authorization request

  1. Create Request Object JWT by adding signing Algo, and keyId to its header and setting the other parameters to its claims.

Check: https://github.com/GluuFederation/oxd/blob/master/oxd-server/src/main/java/org/gluu/oxd/server/op/GetRequestObjectUriOperation.java#L75

  1. Sign Request Object jwt using sign method of org.gluu.oxauth.model.crypto.OxAuthCryptoProvider (pass the required params).

Check: https://github.com/GluuFederation/oxd/blob/master/oxd-server/src/main/java/org/gluu/oxd/server/op/GetRequestObjectUriOperation.java#L54

  1. The authorization URL with the signed request object can be created by adding the request-object to the request param.

ex: https://openid.net/specs/openid-connect-core-1_0.html#RequestParameter

Reference: https://openid.net/specs/openid-connect-core-1_0.html#RequestObject