Re: [Dev] Clarification on Private key JWT Client Authentication for OIDC

2018-03-07 Thread Hasanthi Purnima Dissanayake 
Hi Shanika,

Thank you for the clarification. In the same doc [1] under step 15 it is
> asking to replace the   in the CURL command but no
> guidance for a user on how to get thisvalue.
> Appreciate any guidance on this.
>
> +Shiraz   as these details need to be added to the doc
>
>
We do have a doc jira for this and Shiraz is working on it.  We do have a
section to explain the jwt needed here in the document as below. Seems it
should be more descriptive.

"The JWT *must* contain some REQUIRED claim values and *may* contain some
OPTIONAL claim values. For more information on the required and optional
claim values needed for the JWT for private_key_jwt authentication, click
here

."

Here the privet_key_jwt should be a signed jwt with following format.
issREQUIRED. Issuer. This MUST contain the client_id of the OAuth
Client.subREQUIRED.
Subject. This MUST contain the client_id of the OAuth Client.audREQUIRED.
Audience. The aud (audience) Claim. Value that identifies the Authorization
Server as an intended audience. The Authorization Server MUST verify that
it is an intended audience for the token. The Audience SHOULD be the URL of
the Authorization Server's Token Endpoint.jtiREQUIRED. JWT ID. A unique
identifier for the token, which can be used to prevent reuse of the token.
These tokens MUST only be used once, unless conditions for reuse were
negotiated between the parties; any such negotiation is beyond the scope of
this specification.expREQUIRED. Expiration time on or after which the ID
Token MUST NOT be accepted for processing.iatOPTIONAL. Time at which the
JWT was issued.


A sample token is as follows before encoding.
{
  "alg": "RS256",
  "kid": ">",
  "typ": "JWT"
}

{
  "iss": "<>",
  "sub": "<>",
  "exp": >,
  "iat":  >,
  "jti": " an incremental unique value",
  "aud": 
}
<> with public and private key

Please refer the spec [1] for additional details.

[1] http://openid.net/specs/openid-connect-core-1_0.html#OAuth.Assertions

Thanks,



On Wed, Mar 7, 2018 at 6:56 PM, Shanika Wickramasinghe 
wrote:

> Hi All,
>
> Thank you for the clarification. In the same doc [1] under step 15 it is
> asking to replace the   in the CURL command but no
> guidance for a user on how to get thisvalue.
> Appreciate any guidance on this.
>
> +Shiraz   as these details need to be added to the doc
>
> [1]. https://docs.wso2.com/display/IS550/Private+Key+JWT+
> Client+Authentication+for+OIDC
>
> Thanks,
> Shanika.
>
> On Tue, Mar 6, 2018 at 4:26 PM, Abimaran Kugathasan 
> wrote:
>
>> Hi Shanika,
>>
>> 11th, 12th, and 13th are subsets of 10th (Import the public key of the
>> private_key_jwt issuer). You have to rename because management console
>> takes the file name of the public key as the alias which is clientID.
>>
>> The 14th step is an alternative way to install public key through keytool
>> and it requires a server restart.
>>
>> On Tue, Mar 6, 2018 at 2:56 PM, Shanika Wickramasinghe > > wrote:
>>
>>> Hi All,
>>>
>>> I tried the steps included under the section Deploying and configuring
>>> JWT client-handler artifacts in [1]. There in step 10 it says to Import the
>>> public key of the private_key_jwt issuer. Document does not have a detailed
>>> explanation on this or does not include any command to use. Is this
>>> referring to export the certificate from the key store and convert the
>>> binary encoded certificate into a PEM encoded certificate and import it
>>> under the Application certificate in the service provider as in [2].
>>>
>>> Under step 11 again it is asking to rename the public certificate with
>>> OAuth App client ID name
>>>
>>> Further step 14 specify as to import the above certificate to the
>>> default keystore [1]
>>>
>>> I am not clear with step 10, 11, 14 appreciate any guidance on how to
>>> proceed with these steps.
>>>
>>>
>>>
>>> [1]. https://docs.wso2.com/display/IS550/Private+Key+JWT+Cli
>>> ent+Authentication+for+OIDC
>>> [2]. https://docs.wso2.com/display/IS550/Adding+and+Configur
>>> ing+a+Service+Provider
>>>
>>> Thanks,
>>> Shanika.
>>>
>>>
>>> --
>>> *Shanika Wickramasinghe*
>>> Software Engineer - QA Team
>>>
>>> Email: shani...@wso2.com
>>> Mobile  : +94713503563 <+94%2071%20350%203563>
>>> Web : http://wso2.com
>>>
>>> 
>>>
>>
>>
>>
>> --
>> Thanks
>> Abimaran Kugathasan
>> Senior Software Engineer - API Technologies
>>
>> Email : abima...@wso2.com
>> Mobile : +94 773922820 <+94%2077%20392%202820>
>>
>> 
>> 
>>   
>> 
>>
>>
>
>
> --
> *Shanika Wickramasinghe*
> Software Engineer - QA Team
>
> Email: shani...@wso2.com
> Mobile  : +94713503563

Re: [Dev] Clarification on Private key JWT Client Authentication for OIDC

2018-03-06 Thread Abimaran Kugathasan 
Hi Shanika,

11th, 12th, and 13th are subsets of 10th (Import the public key of the
private_key_jwt issuer). You have to rename because management console
takes the file name of the public key as the alias which is clientID.

The 14th step is an alternative way to install public key through keytool
and it requires a server restart.

On Tue, Mar 6, 2018 at 2:56 PM, Shanika Wickramasinghe 
wrote:

> Hi All,
>
> I tried the steps included under the section Deploying and configuring JWT
> client-handler artifacts in [1]. There in step 10 it says to Import the
> public key of the private_key_jwt issuer. Document does not have a detailed
> explanation on this or does not include any command to use. Is this
> referring to export the certificate from the key store and convert the
> binary encoded certificate into a PEM encoded certificate and import it
> under the Application certificate in the service provider as in [2].
>
> Under step 11 again it is asking to rename the public certificate with
> OAuth App client ID name
>
> Further step 14 specify as to import the above certificate to the default
> keystore [1]
>
> I am not clear with step 10, 11, 14 appreciate any guidance on how to
> proceed with these steps.
>
>
>
> [1]. https://docs.wso2.com/display/IS550/Private+Key+JWT+Cli
> ent+Authentication+for+OIDC
> [2]. https://docs.wso2.com/display/IS550/Adding+and+Configur
> ing+a+Service+Provider
>
> Thanks,
> Shanika.
>
>
> --
> *Shanika Wickramasinghe*
> Software Engineer - QA Team
>
> Email: shani...@wso2.com
> Mobile  : +94713503563 <+94%2071%20350%203563>
> Web : http://wso2.com
>
> 
>



-- 
Thanks
Abimaran Kugathasan
Senior Software Engineer - API Technologies

Email : abima...@wso2.com
Mobile : +94 773922820 <+94%2077%20392%202820>


  
  
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev