As described in the OIDC specification, clients can be Confidential Clients, capable of keeping secrets or Public Clients not capable of holding secrets (or some other factor deeming client secrets unnecessary).
Client identifier
In any case, a Client Id (Client Identifier) is required. This means that, regardless of Confidential or Public clients, a Client Id must be registered with (and possibly issued by) Buypass OpenID Provider before use.
The Client Id will be registered within a Security Domain and will also need to specify and handle scopes and claims relevant for that domain.
Tokens will not be issued to unregistered clients.
Client authentication methods
In general, Buypass only support Confidential Clients. The exception is clients using the Implicit Flow. All other supported flows and grants require Confidential Clients.
OIDC define several client authentication methods for Confidential Clients: Client Authentication.
Currently, Buypass only support the method: private_key_jwt.
In short this means that in addition to the Client Id, a public key must be registered with (and possibly issued by) Buypass. The corresponding private key must be used by the client to sign a JSON Web Token (JWT) sent as part of the client authentication request.
Client request JWT claims
The following minimum claims must be defined in the client request JWT:
Claim | Required | Description | Example value |
---|---|---|---|
iss | yes | Issuer. Should be set to the Client Id (Client Identifier) of the OIDC/OAuth2 client | oidc-client |
sub | yes | Subject. Should be set to the Client Id (Client Identifier) of the OIDC/OAuth2 client | oidc-client |
aud | yes | Audience. Should be set to the URL of the OpenID Provider/OAuth2 Authorization Server issuer URL. | https://auth.buypass.no/auth/realms/SECURITYDOMAIN |
jti | yes | JWT ID. A unique identifier for the token, which can be used to prevent reuse of the token. These tokens MUST only be used once. Se also: JWT ID Claim | 461d5788-2a18-4e63-9e35-7097e02b0227 |
exp | yes | Expiration time on or after which the JWT MUST NOT be accepted for processing. See also: Expiration Time Claim Date format should be in "NumericDate", ref JWT terminology. | 1510831578 |
iat | yes | Time at which the JWT was issued. See also: Issued At Claim Date format should be in "NumericDate", ref JWT terminology. | 1510831518 |
Example
Example using a small NPM cmdline tool for generating the JWT: jwtgen
SD="SECURITYDOMAIN" ISSUER_URL="https://auth.buypass.no/auth/realms/${SD}"; TOKEN_URL="${ISSUER_URL}/protocol/openid-connect/token"; CLIENT_ID="oidc-client"; # Generate cert and key keytool -genkey -keyalg RSA -alias ${CLIENT_ID}-jwt-selfsigned -keystore ${CLIENT_ID}-keystore.jks -storepass password -validity 360 -keysize 2048 # Export certificate (stdout) keytool -export -alias ${CLIENT_ID}-jwt-selfsigned -keystore ${CLIENT_ID}-keystore.jks -rfc -storepass password # Convert JKS to PKCS12 format keytool -importkeystore -srckeystore ${CLIENT_ID}-keystore.jks -destkeystore ${CLIENT_ID}-keystore.p12 -deststoretype PKCS12 -storepass password # Export the certificate openssl pkcs12 -in ${CLIENT_ID}-keystore.p12 -nokeys -out ${CLIENT_ID}-jwt-cert.pem # Export the private key (unencrypted) openssl pkcs12 -in ${CLIENT_ID}-keystore.p12 -nodes -nocerts -out ${CLIENT_ID}-jwt-key.pem JTI=`uuidgen` JSON="{ \"iss\": \"${CLIENT_ID}\", \"sub\": \"${CLIENT_ID}\", \"aud\": \"${ISSUER_URL}\", \"jti\": \"${JTI}\" }" # Generate signed JWT (including exp and iat claims) CLIENT_JWT=`jwtgen -a RS256 -e 3600 -p ${CLIENT_ID}-jwt-key.pem --claims "${JSON}"` # Post client authorization request using curl curl -i -w "\n" \ -H "Content-Type: application/x-www-form-urlencoded" \ -X POST "${TOKEN_URL}" \ -d "grant_type=client_credentials"\ "&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer"\ "&client_assertion=${CLIENT_JWT}"