You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Smals' OAuth2 server (also used by CBSS) however uses another technique for the same purpose, namely "JWT for authentication" which can be used as alternative of client_secret in grant types like client credentials or authorization code grant.
Client authentication using a JWT is nothing more than an alternative way
for a client to authenticate to the token endpoint and must be used
in conjunction with some grant type to form a complete and meaningful
protocol request. JWT authorization grants may be used with or
without client authentication or identification. Whether or not
client authentication is needed in conjunction with a JWT
authorization grant, as well as the supported types of client
authentication, are policy decisions at the discretion of the
authorization server.
From this explanation, it seems if the only goal is a more secure AuthN of the client, "JWTs for client authentication" is a better fit.
If the goal is to exchange claims (which are encoded in the JWT) from a trusted source to an access token, JWT can be used as grant.
Industry support:
Spring Security added support for both options in latest version
Axway APIGW seems to only support JWT grant flow out of the box
other products??
The text was updated successfully, but these errors were encountered:
eHealth Platform uses signed JWTs for client authentication in its authorizationserver when a confidential client requests a token from the token endpoint. Protocol as described in section 2.2 of RFC7523. No claims are exchanged in that signed jwt. It is merely to identify the client in a more secure way then client_secret, which is not allowed by eHealth Platform.
Signed JWT authentication is supported out of the box by Red Hat SSO product (based on Keycloak).
JWT as authorization grant (section 2.1) is not (I think).
Current adoc describes use of JWT as authorization grant to have a better security than shared secret (client_secret) : https://github.com/belgif/rest-security/blob/master/src/main/asciidoc/index.adoc#using-jwt-for-access-token-requests
Smals' OAuth2 server (also used by CBSS) however uses another technique for the same purpose, namely "JWT for authentication" which can be used as alternative of client_secret in grant types like client credentials or authorization code grant.
Which one should we recommend in the guide?
Both options are described in RFC7523:
From the RFC:
From this explanation, it seems if the only goal is a more secure AuthN of the client, "JWTs for client authentication" is a better fit.
If the goal is to exchange claims (which are encoded in the JWT) from a trusted source to an access token, JWT can be used as grant.
Industry support:
The text was updated successfully, but these errors were encountered: