Enable client assertion authentication

[ycrumeyrolle]

Endpoints

• token
• introspection
• revocation

Styles

• client_secret_jwt
• private_key_jwt

Client_secret_jwt require an additional signingAlgorithm parameter. The key is the client_secret.
private_key_jwt require the additional parameters signingAlgorithm and an asymmetric key. The key could be a JWK.

Requirement
No dependency to Microsoft JWT package
Integrated within a generic callback when creating the POST body

[ycrumeyrolle]

No dependency to Microsoft JWT package

Or is it no external dependency at all ?

[ycrumeyrolle]

Integrated within a generic callback when creating the POST body

Can you ne more precise?

[leastprivilege]

For all bearer style credentials, it typically boils down to adding something to the POST body, e.g.

client_assertion and client_assertion_type

Instead of baking in client assertion support directly, I want a generic easy way to add to the POST body (easier than modifying the body in an HTTP handler).

Once we have that, you can have helpers that produce the actually assertion and use that new hook to add it to the body.

I don't want the assertion producing code in IdentityModel itself.

[ycrumeyrolle]

The current implementation of the post values authentication style is into an extension method of the RequestAsync method called RequestCustomAsync. Do you agree that it is not the desired hook model?

[ycrumeyrolle]

Proposal :

With an Authenticate method

var client = new TokenClient(...);
client.Authenticate(_authentication parameters_);
client.RequestAsync();

Where the Authenticatemethod would be virtual. This method may be called within the RequestAsync method. The Authenticate method would add items to the form dictionary.

With an IAuthenticator

var client = new TokenClient(..., IAuthenticator instance);
client.RequestAsync();

The IAuthenticator would add items to the form dictionary.

With a DiscovertClient Factory

var disco = ...
var tokenClient = disco.CreateTokenClient();
client.RequestAsync();

The discovery client would be responsible to create a client with the appropriate parameters. What if the AS support multiple authentication methods?

[leastprivilege]

The more I think about it, I don't like putting these feature in here.

IdentityModel should have the building blocks necessary to pass the credentials with the request. Other higher level libraries should implement the smarts you are talking about.

TokenClient is all set - introspection & revocation I need to check.

I encourage you to write this higher level lib that utilizes IdentityModel.

[leastprivilege]

Did you even start work on the higher level library I mentioned?

[ycrumeyrolle]

I put this work in standby for the moment.

[leastprivilege]

ok . closing then,

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue.