Does or will Caché support RFC 7523

Unless I'm mistaken, 2017.1 doesn't appear to support RFC 7523 (JSON Web Token Profile for OAuth 2.0 Client Authentication and Authorization Grants).  Is that coming in 2017.2?

In order to support it in 2017.1, I'd have to override the OAuth 2.0 token endpoint to cater for the additional grant types - what's the best way to do this?

 

Thanks.

  • 0
  • 0
  • 404
  • 1
  • 2

Answers

RFC 7523 specifies the use of a JWT both as an authentication mechanism for a client and as a grant type to obtain an access token.  Cache supports the use of a JWT for client authentication in 2017.1.  There are currently no plans to support the JWT grant type for obtaining an access token.  This is a reasonable enhancement request..  I suggest that you make the request through the WRC including more background on your intended use.  Then priority can be set.

If you decide to add this support yourself, you should change OAuth2.REST to send the token endpoint request to your new class instead of OAuth2.Server.Token.  The method in your new class can check for JWT case and process it or otherwise forward to OAuth2.Server.Token:Process.  The OAuth2.Server.Token:CheckJWTAuthorization method has code which might help you learn how to handle JWT.  Of course, the usual caveats apply to this approach.

 

I thought about use of RFC 7523 a bit more and realized that in many situations it is appropriate to use the client credentials grant type from RFC6749 with the request authenticated using a JWT per RFC 7523.  This usage is supported in 2017.1 and will give you many of the security attributes of JWT grant type.

Thanks for the tip Marvin, however, I ran into problems in the Auth Server with:

ERROR #8909: No remote public JWKS specified for alg: HS256.

I'm using client_secret_jwt and have shared the generated client secret manually, but the auth server seems to want to use JWK sets ...  What am I missing?

Thanks.