| Table of Contents |
|---|
Note that client authentication can be used both in the context of end-user authentication (for example in combination with Authorization Code Flow), and as a system-only authentication using Client Credentials only.
The type of client authentication method available will depend on the Security Domains , context and application.
As described in the OIDC specification, clients can be Confidential Clients, capable of keeping secrets or Public Clients not capable of holding secrets (or some other factor deeming client secrets unnecessary).
...
OIDC define several client authentication methods for Confidential Clients: Client Authentication.
client_secret_basic / client_secret_post
These authentication methods are only supported in Security Domains where the security risk of client impersonation is low or in closed domains where the additional security is considered unnessesary.
...
Buypass uses private_key_jwt as a default client authentication mechanism for open Security Domains and high leve level IDs like the BuypassID Domain.
...
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
SD="SECURITYDOMAIN"
ISSUER_URL="https://auth.buypass.no/auth/realms/${SD}";
TOKEN_URL="${ISSUER_URL}/protocol/openid-connect/token";
CLIENT_ID="oidc-client";
# GenerateAssuming cert andprivate key keytool -genkey -keyalg RSA -alias ${CLIENT_ID}-jwt-selfsigned -keystore ${CLIENT_ID}-keystore.jks -storepass password -validity 360 -keysize 2048
# Export certificate (stdout)
keytool -export -alias ${CLIENT_ID}-jwt-selfsigned -keystore ${CLIENT_ID}-keystore.jks -rfc -storepass password
# Convert JKS to PKCS12 format
keytool -importkeystore -srckeystore and certificate is available in the keystore named:
# ${CLIENT_ID}-keystore.jks -destkeystore ${CLIENT_ID}-keystore.p12
-deststoretype
PKCS12 -storepass password
# Export the certificate
openssl pkcs12 -in ${CLIENT_ID}-keystore.p12 -nokeys -out ${CLIENT_ID}-jwt-cert.pem
# Export the private key (unencrypted)
openssl pkcs12 -in ${CLIENT_ID}-keystore.p12 -nodes -nocerts -out ${CLIENT_ID}-jwt-key.pem
JTI=`uuidgen`
JSON="{
\"iss\": \"${CLIENT_ID}\",
\"sub\": \"${CLIENT_ID}\",
\"aud\": \"${ISSUER_URL}\",
\"jti\": \"${JTI}\"
}"
# Generate signed JWT (including exp and iat claims)
CLIENT_JWT=`jwtgen -a RS256 -e 3600 -p ${CLIENT_ID}-jwt-key.pem --claims "${JSON}"`
# Post client authorization request using curl
curl -i -w "\n" \
-H "Content-Type: application/x-www-form-urlencoded" \
-X POST "${TOKEN_URL}" \
-d "grant_type=client_credentials"\
"&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer"\
"&client_assertion=${CLIENT_JWT}"
|
...
In addition to supporting the standard OIDC client authentication methods, Buypass also support two-way TLS or Mutual TLS authentication (mTLS), https://tools.ietf.org/html/rfc5246#section-7.4.6.
Note that this authentication method is only available for selected clients and authentication scenarios for B2B setups (for example in the EnterpriseID Domain).
...
Using the curl tool, the two-way TLS authentication is done using the supplied certificate (and client key). The further client authentication is then further implicit as the request is done over the established TLS connection, directly to the token endpoint.
Note the parameter "?_tlsclientauth=1" added to the TOKEN_URL. The parameter is used to trigger two-way TLS only if requested, if multiple authentication methods are available.
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
SD="SECURITYDOMAIN"
ISSUER_URL="https://auth.buypass.no/auth/realms/${SD}";
# Note: Parameter to trigger MTLS inly when requested
TOKEN_URL="${ISSUER_URL}/protocol/openid-connect/token?_tlsclientauth=1";
CLIENT_ID="oidc-client";
# GenerateAssuming cert andprivate key keytool -genkey -keyalg RSA -alias ${CLIENT_ID}-selfsigned -keystore ${CLIENT_ID}-keystore.jks -storepass password -validity 360 -keysize 2048
# Export certificate (stdout)
keytool -export -alias ${CLIENT_ID}-jwt-selfsigned -keystore ${CLIENT_ID}-keystore.jks -rfc -storepass password
# Convert JKS to PKCS12 format
keytool -importkeystore -srckeystore ${CLIENT_ID}-keystore.jks -destkeystore and certificate is available in the keystore named:
# ${CLIENT_ID}-keystore.p12 -deststoretype PKCS12
-storepass
password
# Export the certificate
openssl pkcs12 -in ${CLIENT_ID}-keystore.p12 -nokeys -out ${CLIENT_ID}-cert.pem
# Export the private key (unencrypted)
openssl pkcs12 -in ${CLIENT_ID}-keystore.p12 -nodes -nocerts -out ${CLIENT_ID}-key.pem
# Post client authorization request using curl
curl -v -i -w "\n" \
--cert ${CLIENT_ID}-cert.pem \
--key ${CLIENT_ID}-key.pem \
-H "Content-Type: application/x-www-form-urlencoded" \
-X POST "${TOKEN_URL}" \
-d "grant_type=client_credentials"\
"&client_id=${CLIENT_ID}"
|
...