Client authentication - SSO

Confidential clients must send client credentials with requests to endpoints that require authentication. This includes token, introspection and revocation endpoints.

Two types of client credentials are defined: symmetric client secret and asymmetric client private key.

Client registration parameter "token_endpoint_auth_method" controls what authentication method client is expected to use. If registration parameter is not defined then provider automatically detects type of client credentials and one of "client_secret_basic" or "client_secret_form" is allowed.

Public clients

Since SSO v. 8.10 client registration parameter "token_endpoint_auth_method" value "none" is supported to indicate a public client. These clients are not entitled to send client authentication but client identification only. In this case client sends client_id as form POST data.


Client Secret

NameDescription
client_secret_basic

Client uses HTTP Basic authentication scheme with urlencoded(client_id) and urlencoded(client_secret).

Urlencoding requirement can be disabled with DisableOAuth2CredentialsUrlDecoding application compatibility flag.

client_secret_postClient sends client_id and client_secret as HTML Form parameters
client_secret_jwt 

Client uses JWTs for Client Authentication

The JWT is signed with a key derived from client_secret

Client Private Key

NameDescription
private_key_jwt

Client uses JWTs for Client Authentication

The JWT is signed with client's private key

Client registration parameter "jwks" is used to communicate client's public key with provider

JWTs for Client Authentication

Registration parameters

NameDescription
token_endpoint_auth_method

"client_secret_jwt"

or

"private_key_jwt"

token_endpoint_auth_signing_alg


Parameters

NameDescription
client_assertion_type = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
client_assertionContains a single JWT

JWT Claims

NameDescription
iss

Issuer

Matches client_id of client

sub

Subject

Matches client_id of client

aud

Audience

Matches issuer identifier

exp

Expiration time

Expiration time must not be more than 60 minutes into future

jti

JWT ID

The jti claim is used to enforce one-time use of JWTs

References

This web page (including any attachments) may contain confidential, proprietary, or privileged information – not for disclosure without authorization from Ubisecure Inc. Copyright © 2024. All Rights Reserved.