Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JWTs for secure client authentication #3

Open
pvdbosch opened this issue Sep 14, 2021 · 1 comment
Open

JWTs for secure client authentication #3

pvdbosch opened this issue Sep 14, 2021 · 1 comment

Comments

@pvdbosch
Copy link

Current adoc describes use of JWT as authorization grant to have a better security than shared secret (client_secret) : https://github.com/belgif/rest-security/blob/master/src/main/asciidoc/index.adoc#using-jwt-for-access-token-requests

Smals' OAuth2 server (also used by CBSS) however uses another technique for the same purpose, namely "JWT for authentication" which can be used as alternative of client_secret in grant types like client credentials or authorization code grant.

Which one should we recommend in the guide?

Both options are described in RFC7523:

From the RFC:

Client authentication using a JWT is nothing more than an alternative way
   for a client to authenticate to the token endpoint and must be used
   in conjunction with some grant type to form a complete and meaningful
   protocol request.  JWT authorization grants may be used with or
   without client authentication or identification.  Whether or not
   client authentication is needed in conjunction with a JWT
   authorization grant, as well as the supported types of client
   authentication, are policy decisions at the discretion of the
   authorization server.

From this explanation, it seems if the only goal is a more secure AuthN of the client, "JWTs for client authentication" is a better fit.
If the goal is to exchange claims (which are encoded in the JWT) from a trusted source to an access token, JWT can be used as grant.

Industry support:

  • Spring Security added support for both options in latest version
  • Axway APIGW seems to only support JWT grant flow out of the box
  • other products??
@frelibert
Copy link

eHealth Platform uses signed JWTs for client authentication in its authorizationserver when a confidential client requests a token from the token endpoint. Protocol as described in section 2.2 of RFC7523. No claims are exchanged in that signed jwt. It is merely to identify the client in a more secure way then client_secret, which is not allowed by eHealth Platform.

Signed JWT authentication is supported out of the box by Red Hat SSO product (based on Keycloak).
JWT as authorization grant (section 2.1) is not (I think).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pvdbosch @frelibert