Initial private (JWT) key registration process
The private_key_jwt authentication is based on asymmetric key, the private part is generated and only known by the client whereas the public part is communicated and registered in the authorization server for the specific client.
Private (JWT) key authentication process
The authentication flow of private_key_jwt is depicted in the diagram below
The private_key_jwt authentication consists of creating a JSON structure containing the following login attributes:
Attribute | Example | Description |
|---|---|---|
| iss | das-api-auth | Issuer: Client id |
| sub | das-api-auth | Subject: Client id |
| aud | https://logindev.wipo.int:443/am/oauth2/access_token | Audience: Token endpoint of the authorization server |
| exp | 1622450728 | Expiration time: The expiration time of the data, current time + small amount of seconds (current epoch + 10s is ok) |
ES256 signing algorithm + above attributes + signature of them must be served in JWT format (rfc7519), see below:
JWT client assertion header
{
"alg": "ES256",
"typ": "JWT"
}
JWT client assertion payload
{
"iss": "das-api-auth",
"sub": "das-api-auth",
"aud": "https://logindev.wipo.int:443/am/oauth2/access_token",
"exp": 1622450728
}
JWT client assertion signature
# Signature of the header and payload sections. # it is an array of bytes encoded in base 64
All parts are encoded and separated by '.' to make up the JWT as follows
private_key_jwt assertion
eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJkYXMtYXBpLWF1dGgiLCJz dWIiOiJkYXMtYXBpLWF1dGgiLCJhdWQiOiJodHRwczovL2xvZ2luZGV2LndpcG8uaW50O jQ0My9hbS9vYXV0aDIvYWNjZXNzX3Rva2VuIiwiZXhwIjoxNjIyNDUwNzI4fQ.BLA6k2 kKKFVm6AG-DPDpRU_5JDFGRF1dHjKul7saWCv5OxXGg4EY-J9e1p8Dg0ngD2dZ2grkJ2 su7jaHy67YEw
The JWT client assertion can now be submitted to authorization server for authentication with the token endpoint (i.e. POST https://logindev.wipo.int:443/am/oauth2/access_token in the attached specification) including the following parameters for client_credentials:
POST parameter | example | Description |
|---|---|---|
| grant_type | client_credentials | OAuth2 client_credentials authentication flow is used for machine to machine communication |
| scope | das-api/das-access | Scopes (=roles), if any, separated by spaces which are required to use the DAS API |
| client_assertion_type | urn:ietf:params:oauth:client-assertion-type:jwt-bearer | The client_assertion_type indicates to the authorization server the method used to authenticate, private_key_jwt requires jwt-bearer |
| client_assertion | eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJkYXMtYXBpLWF1dG giLCJzdWIiOiJkYXMtYXBpLWF1dGgiLCJhdWQiOiJodHRwczovL2xvZ2luZG V2LndpcG8uaW50OjQ0My9hbS9vYXV0aDIvYWNjZXNzX3Rva2VuIiwiZXh wIjoxNjIyNDUwNzI4fQ.BLA6k2kKKFVm6AG-DPDpRU_5JDFGRF1dHjKul7saWCv5OxXGg4EY-J9e1p8Dg0ngD2dZ2grkJ2su7jaHy67YEw | The JWT generated in the paragraph above |
Certificate to communicate to WIPO
After the generation of the es256 key, you will obtain the following files (or similar):
| es256_cert.pem | Certificate file that will be communicated to WIPO for the configuration of the private_key_jwt client authentication |
| es256_private.pem | Must never be communicated and kept secret, used by the client to sign the private_key_jwt authentication request |
| es256_public.pem | Used only at the generation step, kept for record |
| openssl.cnf | Used only at the generation step, kept for record |
As per the process, in order to register the Office key on WIPO systems, be aware that the file that has to be sent to WIPO is the one for the certificate (not the public key file)