View Source

Initial private (JWT) key registration process

The private_key_jwt authentication is based on asymmetric key, the private part is generated and only known by the client whereas the public part is communicated and registered in the authorization server for the specific client.

a.1.- Generation of (ES256) asymmetric keys

Private (JWT) key authentication process

The authentication flow of private_key_jwt is depicted in the diagram below

The private_key_jwt authentication consists of creating a JSON structure containing the following login attributes:

Attribute	Example	Description
iss	das-api-auth	Issuer: Client id
sub	das-api-auth	Subject: Client id
aud	https://logindev.wipo.int:443/am/oauth2/access_token	Audience: Token endpoint of the authorization server
exp	1622450728	Expiration time: The expiration time of the data, current time + small amount of seconds (current epoch + 10s is ok)

ES256 signing algorithm + above attributes + signature of them must be served in JWT format (rfc7519), see below:

JWT client assertion header

{
"alg": "ES256",
"typ": "JWT"
}

JWT client assertion payload

{
  "iss": "das-api-auth",
  "sub": "das-api-auth",
  "aud": "https://logindev.wipo.int:443/am/oauth2/access_token",
  "exp": 1622450728
}

JWT client assertion signature

# Signature of the header and payload sections. # it is an array of bytes encoded in base 64

All parts are encoded and separated by '.' to make up the JWT as follows

private_key_jwt assertion

eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJkYXMtYXBpLWF1dGgiLCJzdWIiOiJkYXMtYXBpLWF1dGgiLCJhdWQiOiJodHRwczovL2xvZ2luZGV2LndpcG8uaW50OjQ0My9hbS9vYXV0aDIvYWNjZXNzX3Rva2VuIiwiZXhwIjoxNjIyNDUwNzI4fQ.BLA6k2kKKFVm6AG-DPDpRU_5JDFGRF1dHjKul7saWCv5OxXGg4EY-J9e1p8Dg0ngD2dZ2grkJ2su7jaHy67YEw

The JWT client assertion can now be submitted to authorization server for authentication with the token endpoint (i.e. POST https://logindev.wipo.int:443/am/oauth2/access_token in the attached specification) including the following parameters for client_credentials:

POST parameter	example	Description
grant_type	client_credentials	OAuth2 client_credentials authentication flow is used for machine to machine communication
scope	das-api/das-access	Scopes (=roles), if any, separated by spaces which are required to use the DAS API
client_assertion_type	urn:ietf:params:oauth:client-assertion-type:jwt-bearer	The client_assertion_type indicates to the authorization server the method used to authenticate, private_key_jwt requires jwt-bearer
client_assertion	eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJkYXMtYXBpLWF1dG giLCJzdWIiOiJkYXMtYXBpLWF1dGgiLCJhdWQiOiJodHRwczovL2xvZ2luZG V2LndpcG8uaW50OjQ0My9hbS9vYXV0aDIvYWNjZXNzX3Rva2VuIiwiZXh wIjoxNjIyNDUwNzI4fQ.BLA6k2kKKFVm6AG-DPDpRU_5JDFGRF1dHjKul7saWCv5OxXGg4EY-J9e1p8Dg0ngD2dZ2grkJ2su7jaHy67YEw	The JWT generated in the paragraph above

The above token endpoint is part of third party product that supports OpenID Connect (OIDC) authentication protocol based on the OAuth 2.0 family of specifications

a.2.- Sample authentication script (using JWT private key)

New DAS exchange API