Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add section to OIDC client doc for Private Key JWT #6807

Closed
ayoho opened this issue Aug 7, 2023 · 1 comment
Closed

Add section to OIDC client doc for Private Key JWT #6807

ayoho opened this issue Aug 7, 2023 · 1 comment

Comments

@ayoho
Copy link
Member

ayoho commented Aug 7, 2023

Relevant docs page: https://openliberty.io/docs/latest/reference/feature/openidConnectClient-1.0.html

File to update: https://github.com/OpenLiberty/docs/blob/vNext/modules/reference/pages/feature/openidConnectClient/examples.adoc

New section title: Configure an OpenID Connect client to use Private Key JWT authentication

Content:
OpenID Connect clients are required to provide authentication data to the OpenID Connect provider when they invoke the provider’s token endpoint. Clients can authenticate using several different methods, but most of those methods require a client secret. The private_key_jwt authentication method enables clients to use asymmetric keys to create signed JSON Web Tokens (JWTs) to authenticate instead of client secrets. OpenID Connect clients using this authentication method are no longer required to have a client secret.

Server administrators can enable this functionality using the private_key_jwt option for the tokenEndpointAuthMethod attribute, as well as the tokenEndpointAuthSigningAlgorithm and keyAliasName attributes in either the openidConnectClient or oidcLogin elements in their server.xml file.

The following example shows a configuration that uses the Private Key JWT token endpoint authentication method.

    <openidConnectClient id="RP"
        tokenEndpointAuthMethod="private_key_jwt"
        keyAliasName="privateKeyJwtAliasRS512"
        sslRef="mySslConfiguration" ... />

The tokenEndpointAuthSigningAlgorithm attribute specifies the signing algorithm to sign the JWT that is used for client authentication. The keyAliasName attribute points to the key to use to sign the JWT, and must also be the alias for the public key that corresponds to the private key. The private key must be in the keystore that is specified by the SSL configuration that is referenced by sslRef in the OIDC client configuration. The public key must be in one of the following:

  • the truststore that is specified by the trustStoreRef attribute in the openidConnectClient element
  • the truststore that is specified by the SSL configuration that is referenced by sslRef
  • the keystore that is specified by the SSL configuration that is referenced by sslRef

For more information about the configuration options, refer to the docs for the openidConnectClient element.

For more information about private_key_jwt client authentication, refer to the OpenID Connect core specification and RFC 7523.
@ayoho
Copy link
Member Author

ayoho commented Aug 7, 2023

I completely overlooked that this section is already in the vNext branch, and I would imagine be getting put into the official documentation some time after 23.0.0.9 is released. So this issue can be disregarded.

@ayoho ayoho closed this as completed Aug 7, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ayoho