Initial private (JWT) key registration processThe private_key_jwt authentication is based on asymmetric key, the private part is generated and only known by the client whereas the public part is communicated and registered in the authorization server for the specific client. draw.io Diagram |
---|
border | true |
---|
| |
---|
diagramName | private_key_jwt registration |
---|
simpleViewer | false | width |
---|
600 | links | auto |
---|
tbstyle | top |
---|
lbox | true |
---|
diagramWidth | 1081 |
---|
revision | 1 |
---|
|
a
Private (JWT) key authentication processThe authentication flow of private_key_jwt is depicted in the diagram below draw.io Diagram |
---|
border | true |
---|
| |
---|
diagramName | private_key_jwt authentication |
---|
simpleViewer | false |
---|
width | 600 |
---|
links | auto |
---|
tbstyle | top |
---|
lbox | true |
---|
diagramWidth | 1121 |
---|
revision | 1 |
---|
|
The private_key_jwt authentication consists of creating a JSON structure containing the following login attributes: Attribute | Example | Description |
---|
iss | das-api-auth | Issuer: Client id | sub | das-api-auth | Subject: Client id | aud | https://logindev.wipo.int:443/am/oauth2/access_token | Audience: Token endpoint of the authorization server | exp | 1622450728 | Expiration time: The expiration time of the data, current time + small amount of seconds (current epoch + 10s is ok) |
ES256 signing algorithm + above attributes + signature of them must be served in JWT format (rfc7519), see below: JWT client assertion header Code Block |
---|
language | yml |
---|
linenumbers | true |
---|
| {
"alg": "ES256",
"typ": "JWT"
} |
JWT client assertion payload | The JWT client assertion can now be submitted to authorization server for authentication with the token endpoint (i.e. POST https://logindev.wipo.int:443/am/oauth2/access_token in the attached specification) including the following parameters for client_credentials: