Skip to main content

Private Key JWT Client Authentication

The private_key_jwt method uses a client-generated JSON Web Token (JWT) signed with an asymmetric key to confirm the client's identity. The authorization server can extract client's assertion from the request and verify it with the public key.

Prerequisites to private_key_jwt

  1. The authorization server enables client applications to use the private_key_jwt client authentication method.

  2. The client is registered with the private_key_jwt method as the token authentication method.

  3. A public and a private key pair set is prepared on the client-side.

  4. The client's public key is converted from the PEM format to a jwks (JSON Web Key Set)

    You can put your jwks on a server of your choice to enable using jwks_uri.

  5. jwks or jwks_uri public key is added to the authorization server in the client's Oauth configuration.

Authenticating Clients Using private_key_jwt Method

  1. The client prepares a JSON with the request data.

    For example:

    {
"iss" : "YzEzMGdoMHJnOHBiOG1ibDhyNTA=",
"sub" : "YzEzMGdoMHJnOHBiOG1ibDhyNTA=",
"aud" : "https://localhost:8443/{tid}/{aid}/oauth2/authorize",
"jti" : "1516235555",
"exp" : "2021-05-17T07:09:48.000+0545" }

  2. Prepared data is signed using the private key resulting in a JSON Web Token being created.

  3. The client makes a request for an access token to the authorization server's token endpoint including the following parameters:

    parameter

    value

    type

    client_assertion_type

    urn:ietf:params:oauth:client-assertion-type:jwt-bearer

    Required

    client_assertion

    Must contain a single JSON Web Token.

    Required

    grant_type

    Type of the grant used, for example, client_credentials

    Required

    Example request with extra line breaks added for display purposes:

    curl --request
-F "grant_type=client_credentials"
-F "client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
-F "client_assertion=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.
eyJpc3N1ZXIiOiJZekV6TUdkb01ISm5PSEJpT0cxaWJEaHlOVEE9Iiwic3ViamVjdCI6Ill6RXpN
R2RvTUhKbk9IQmlPRzFpYkRoeU5UQT0iLCJzY29wZSI6ImludHJvc2NwZWN0X3Rva2VucywgcmV2
b2tlX3Rva2VucyIsImF1ZCI6Imh0dHBzOi8vbG9jYWxob3N0Ojg0NDMve3RpZH0ve2FpZH0vb2F1
dGgyL2F1dGhvcml6ZSIsImp3dElEIjoiMTUxNjIzOTAyMiIsImV4cGlyYXRpb25UaW1lIjoiMjAy
MS0wNS0xN1QwNzowOTo0OC4wMDArMDU0NSJ9.
PkkBvc1oPLdSXCqKdf5r2-is51CFvLVbdM9GYmzRvGqnxFK7MyKgSEqA0wZzC0rc8q7TAx2AwpFQ
E-Ea1MKQEW1qViyl2MwUcbg8QHN1dSZez_eMpmQiQUiIuZKJYbrjlbKypXPCGcTL8YVkDrA2F6ny
El1BpVvT8s-yeQX7VpfiKcKHApF0d_jnDizGCpwxnsSlobgjXRftMKoeyChKnF3y-KI33LrcP3n-
Mvr9Y12vN39PV4JTzcBSqU4g8rjDtPt2Z1swXjEO4X6DQmso5L09a_Wb7vf9umaOJfP3luye7Uyj
4fMTCNchZu0pFxq98-Dq13rdiXHOGsV0f0SkJw"  POST \
--url <https://localhost:8443/{tid}/{aid}/oauth2/token> \
--header 'accept: application/x-www-form-urlencoded'

  4. The authorization server generates an access token and provides it to the client after a successful request validation.

    The authorization server can extract the client's assertion and verify it using the public key.

    Result: The client is authenticated using the private_key_jwt flow.

When to use private_key_jwt

In general, client authentication using the private_key_jwt method should be used by companies that need to use secure client authentication flows. This may be the case, for example, for businesses that must comply with the Financial-Grade API (FAPI) standards.

Standards Used in JWT Based Client Authentication

The authorization server processes requests for client authentication using the following standards:

In this section: