Managing public keys for signed jwt

[ikethecoder]

User Story

As an API Provider,

I want a way for my clients to provide (and self-serve) a public certificate during access request time

so that my Identity Provider (IdP) can use it to validate the Client Assertion Token

unlike now where the only option currently is to use the Signed JWT with JWKS URL which is not possible as our IdP does not have direct internet access.

Two types of client credentials

The credential a client uses to authenticate falls into one of these two types:

Shared secret -- The Identity Provider issues the client with a secret (password) that is stored by the server as well as the client.

Private key -- The client generates a private RSA or EC key and stores it securely. The client then authenticates by signing an assertion (a JWT) with the private key.

Of the two methods the one based on a private key has stronger security properties.

• A client can store the private key in a Hardware Security Module (HSM) or a Trusted Platform Module (TPM) where the signing is performed internally, within the module, and extraction of the stored keys is not possible. This can reduce the risk of client impersonation significantly.

• The authorisation server doesn't keep any client-related credentials, limiting potential exposure.

• The signed assertions (JWT) expire, limiting the time window for replay if they get accidentally leaked. Client certificates can also be made to expire quickly.

• Finally, the issued tokens can be bound to the private key, enabling resource servers to require the client to prove its key possession when the token is submitted, thus upgrading the security of the OAuth 2.0 bearer tokens. Reference https://connect2id.com/learn/token-binding

Technical Design Notes

We have implemented the calls to the IdP already as we use it for the Signed JWT with Generated Key Pair flow.

Expected changes:

• Add a new authenticator of signed-jwt-with-public-key on the Authorization Profile
• On the Access Request dialog, prompt the user for a valid Public Key
• Use the public key as part of the Client creation
• Expose an API that allows an Application Owner (Consumer) to update their Public Key
• Provide a way for a Consumer to create an API Key for themselves for calling the above API

[elisafw-ux]

Designs (discussion board)

[ikethecoder]

@elisafw-ux I'm not able to see the designs - I get a "Hmm, couldn't find that one" error

[elisafw-ux]

@ikethecoder sorry! it's the same issue where you are gone from the board. I've invited you to view.

[sienna-blumstengel-bcgov]

@elisafw-ux to chat with Aidan to verify that there is anything else to work on

[elisafw-ux]

@ikethecoder On the access request modal, I kept the UI as it was originally which includes the public key under the environment then a text area for people to add their public key in PEM format. Under the My Access page I removed "Regenerate Credentials" and just have "Update Public Key"

Is there anything else that I need to work on from the UI side?

[elisafw-ux]

@chrsamp @ikethecoder Please review designs

[elisafw-ux]

@chrsamp @ikethecoder Updated designs Please review.

[chrsamp]

@elisafw-ux Reviewed and looks good to me. Makes sense to combine the public cert/JWKS options on the access request.