Layer7 API Management

Expand all | Collapse all

Using JWT for OAuth

  • 1.  Using JWT for OAuth

    Posted Dec 06, 2016 09:42 AM

    We have a need to provide OAuth authentication for "headless" clients, where there is no user to engage in the authorization code or similar login/consent grant types.  It seems the best option is to use a Jason Web Token (JWT) and the OTK doc alludes to this being supported but I can't find any step by step instruction on how it works.  The best explanation I've found so far of the general process is provided by Salesforce, for their token endpoint, and can be seen here:  https://help.salesforce.com/articleView?id=remoteaccess_oauth_jwt_flow.htm&language=pt_BR_1_1&type=0#validate_token

     

    I'm looking to establish a similar process for the OTK.  Before I go down the path of experimentation and analysis of the OTK toke endpoint policies I thought I'd ask to see if anyone out there has done this?  I assume at the very least I'll have to store a certificate in an identity provider and call the endpoint with the appropriate grant type indicated.



  • 2.  Re: Using JWT for OAuth

    Posted Dec 06, 2016 03:04 PM

    Hi!

    I am not sure if I fully understand your requirement and the connection to SalesForce' example. I have got these questions:

    - do you want the client to be authenticated via a JWT instead of client_id/ client_secret?

    - do you want the user to be authenticated via a JWT instead of username/ password?

    - in both cases, who issued the JWT?

    Thanks for more details!

     

    Regards,

    Sascha



  • 3.  Re: Using JWT for OAuth

    Broadcom Employee
    Posted Dec 08, 2016 09:58 AM

    Hi StPaulPete

     

    Is the end goal just to retrieve tokens without being presented with the login/consent screens? Or is there a need for the JWT flow in particular?


    If the former, you may be best using some of the other flows, password or client credentials, for OAuth. Providing the client application is in possession of some key details (client/secret and/or uid/pw).

     

    https://docops.ca.com/ca-api-management-oauth-toolkit/3-5/en/oauth-request-scenarios

     

    Regards,

    Joe



  • 4.  Re: Using JWT for OAuth

    Posted Dec 08, 2016 01:06 PM

    Very good point.  The goal fundamentally is to retrieve an access token, securely, where there is no human present to engage in the consent process.  It just seems the JWT bearer token is the way to best do that, but we'll certainly listen to alternatives.  I believe there are a couple that rely on tokens exchanged in the uri parms, and that is not acceptable.

     

    As I understand it, the JWT is generated, it is signed by the client and the signature decrypted by the token endpoint.  If you look at the salesforce example flow it bypasses the auth endpoint.  The assumption seemly that the signed JWT constitutes the authorization and consent.  We have tested this with Salesforce and it works.  But when the architect tried it wth OTK it seems to run into the problem of needing a token that was generated (or otherwise known I suppose) to the gateway.  We are really just trying to accomplish the same flow that the Salesforece example does with our OTK so we can offer the same type of service.

     

    So it would seem we somehow need to get the token into the OTK, as well as getting the clients cert into some sort of accessible location so it can decrypt the signature.  Anyway, this is how we're seeing the standard flow, referring to the IETF description.  I will acknowledge I have some more reading of that to do.



  • 5.  Re: Using JWT for OAuth

    Posted Dec 09, 2016 09:41 AM

    I'll provide a bit more information that may help clarify.  First, the IETF RFC we are trying to comply with can be found here.  RFC 7523 - JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants 

     

    Secondly, with regard to the link provided by dasjo02, the specific request type we are trying to use is described in the section "grant_type=urn:ietf:parms:oauth:grant-type:jwt-bearer".  The question is, how do we implement this from a gateway/OTK configuration perspective.  This section specifies "Only id_token (JWT) that were issued by the OAuth server are accepted."  (This seems backward with respect to the Salesforce example where the client creates a JWT.)

     

    This is problem 1.  How do we issue the JWT?  There is an "Encode JSON Web Token" assertion, as well as one for decoding.  Are we to create a Gateway service that issues the JWT?  How do we get it to the client so it can be used as the request to the token endpoint?



  • 6.  Re: Using JWT for OAuth

    Broadcom Employee
    Posted Dec 09, 2016 10:04 AM

    Thank you for the the details. I believe I have a better understanding of the requirement.

     

    If you need help in generating the JWT, it looks like this will require user interaction following the request scenarios in our docs as it hits the authorization endpoint:

     

    Auth Server Request:
    POST /auth/oauth/v2/authorize

     

    body:
    client_id=5edc4a38-75ec-4617-8854-1a71ff1e0a2e&scope=phone+email+address+profile+openid&response_type=token+id_token&redirect_uri=https%3a%2f%2fssg.com%3a8443%2fredirect

     

    Alternatively, we provide assertions to generate and encode the ID token (Generate ID Token and Encode Json Web Token). I would suggest looking at the encapsulated assertion OTK id_token Generation - HS256 for examples of how our policies do this. Out of the box it seems we only use HMAC-SHA-256 secret to sign the payload so I don't have any examples I can provide as far as using the certs to sign and encrypt. This would require a bit of customizing.


    Once the JWT is generated by the gateway/OTK you can POST to /auth/oauth/v2/token with the following
    as part of the form body. This will exchange the JWT for an access token.


    grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=<JWT>&client_id=<CLIENT_ID>&client_secret=<CLIENT_SECRET>

    ie:
    POST /auth/oauth/v2/token
    Content-type: application/x-www-form-urlencoded
    grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhdF9oYXNoIjoiY29KM09TMmI3VFJqZnV0Z3k1SEl0ZyIsInN1YiI6IlA3NF9vOXVpWEItNFdLWFd0cXNBeHdWREptZUtTeEY5Ni11QTN3OFhSNWsiLCJhdWQiOiI1ZWRjNGEzOC03NWVjLTQ2MTctODg1NC0xYTcxZmYxZTBhMmUiLCJhY3IiOiIwIiwiYXpwIjoiNWVkYzRhMzgtNzVlYy00NjE3LTg4NTQtMWE3MWZmMWUwYTJlIiwiYXV0aF90aW1lIjoxNDgxMjMwMzA0LCJpc3MiOiJodHRwczovL3NzZy5jb20iLCJleHAiOjE0ODEzMTY3MDQsImlhdCI6MTQ4MTIzMDMwNCwibm9uY2UiOiIxNDE5MjYwMzEifQ.VT-m9gN5vaN4lpc7STnoJ95XKp28eM5g6fxBRa_MTDA&client_id=5edc4a38-75ec-4617-8854-1a71ff1e0a2e&client_secret=5005a669-0295-4602-be7d-6a75342db6d8

     

    This will return an access token providing the JWT, id/secret are correct (registered and enabled).

     

    saspr02 may be able to provide more details here. 

     

    Regards,

    Joe



  • 7.  Re: Using JWT for OAuth

    Posted Dec 09, 2016 11:23 AM

    Yes, but, generating the JWT from the gateway, which apparently stores it only in a context variable, doesn't make a lot of sense to me.  How do I get it to the client?  How do I authenticate the client?  It doesn't make any sense to me that a client connects, I generate the JWT and send it to them, then they send it back to my token endpoint.  That accomplishes nothing.  Any client could do it.

     

    Let me back up a bit and explain how I understand the flow to work per specification, which seems to be what is implemented in the example from Salesforce.  (Which is only and example of what we are trying to do, we're not involving Salesforce in the exchange or anything like that.)

     

    1.  The client possesses the JWT.  Doesn't really matter where it came from as long as it is valid in format and content.

    2.  The client signs the JWT with their private key.  Optionally they encrypt it.

    3.  The client sends the JWT to the token endpoint which interprets the signature based on a certificate that has been previously registered with the token endpoint.  If it can validate the signature, it knows it must have come from the holder of the private key.  Typical SSL type behavior.

    4.  The token endpoint issues the access token.

     

    Your scenario would seem to be described as follows (please correct where necessary).

     

    1.  The client connects to the gateway, outside of OTK, and the gateway generates a JWT for them.  I assume it signs or encrypts it.

    2.  The gateway sends the JWT to the client, which in turns sends it back to the token endpoint.

    3.  The token endpoint issues the access token because it can recognize the JWT.  How it recognizes it I don't know because it was only stored in a context variable, which is now gone.  I'm told the architect investigated and said the OTK looks it up in the database, but we don't know how it's supposed to get there.

     

    I don't know how that latter scenario will work because any client could do it, which is what we are trying to avoid.  It would seem we need some out of band process that will "register" the JWT to a specific client, then validate it with that client's certificate.



  • 8.  Re: Using JWT for OAuth

    Posted Mar 13, 2018 06:06 AM

    Hi, We've come across same scenario which you've mentioned.

     

    1.  The client possesses the JWT.  Doesn't really matter where it came from as long as it is valid in format and content.

    2.  The client signs the JWT with their private key.  Optionally they encrypt it.

    3.  The client sends the JWT to the token endpoint which interprets the signature based on a certificate that has been previously registered with the token endpoint.  If it can validate the signature, it knows it must have come from the holder of the private key.  Typical SSL type behavior.

    4.  The token endpoint issues the access token.

     

    Can you provide some input how can we implement the same?There's no user credentials present in our scenario as well.



  • 9.  Re: Using JWT for OAuth

    Posted Mar 13, 2018 12:32 PM

    Hello!

     

    OTK will support this feature soon out of the box. Currently you would have to modify the /token endpoint yourself. If this is for grant_type client credentials only you would have to do the following:

     

    OTK Client Authentication:

     

    That assertion authenticates a client based on client_id/ client_secret. You have to replace this assertion to accept a JWT instead. Or better, use your assertion in addition if the client passes in the parameter 'assertion' and grant_type 'client_credentials'.

    In order to validate the signature you either have to import that clients certificate beforehand or your client has to expose an /jwks.json endpoint. The gateway will then retrieve it from there

     

    Let me know if this helps please!



  • 10.  Re: Using JWT for OAuth

    Posted Mar 13, 2018 12:44 PM

    Any idea when?  Modifying the OTK is something that’s on my back burner now, waiting for time and priority to get to it.



  • 11.  Re: Using JWT for OAuth

    Posted Mar 13, 2018 12:54 PM

    It will most likely be the next release. But unfortunately we cannot mentioned dates. Usually we update OTK 3 or 4 times a year and there has been no release yet in 2018.



  • 12.  Re: Using JWT for OAuth

    Posted May 09, 2018 11:28 PM

    I finally got around to implementing this.  The investigation to figure out how to do it was exponentially more work than implementing it.  We originally wanted to implement it via an Authorization Code flow because of its superior protection against man in the middle attacks, but it turned out to be unworkable due to limitations of the gateway assertion language.

     

    We ended up using OTK id_token Validation - CUSTOM and making our own grant type.  It decodes the JASON Web Token and uses the issuer claim to get the cert name and subject claim to get a user to assign to 'resource owner'.  (We don't use encrypted JWT's).  We then look up the cert in our store and use it to validate the JWT signature.  We had to export the subject to use as a the resource owner farther down in the OTK Token DB Storage because there is no "consent" step from which to set one.

     

    We haven't used it extensively yet, but testing indicates it works.



  • 13.  Re: Using JWT for OAuth

    Posted Dec 09, 2016 12:30 PM

    Hi StPaulPete!

     

    OTK out-of-the box does not support JWT authentication for oauth clients (RFC 7562). OTK only supports JWT representing authenticated users (id_token in terms of OpenID Connect).

    OTK supports JWT signed by itself because federation has not been built in yet. And that is what you are asking for. In order to accept JWT created by other entities OTK has to be modified.

     

    You have asked the following questions:

    • How do we issue the JWT? Well, OTK already does! But it seems you want JWT so be created by other parties and therefore it should be up to that party  to create those JWT
    • How do we get it to the client so it can be used as the request to the token endpoint? That is up to the party that issues the JWT

     

    What you also said is that you do not have a user that could go through the consent screen. In that case you cannot use any flow that uses response_type's but grant_type's (except for authorization_code). For any grant_type your client needs to provide user credentials (except for grant_type=client_credentials) in form of username/password, a SAML token, or a JWT token or other credentials that would work for you. In contrast, the RFC you are referring to is about client authentication using JWT. 

     

    So looking at your comments I have a feeling that some clarification is still required.

     

    Thanks for your thoughts,

    Sascha



  • 14.  Re: Using JWT for OAuth

    Posted Dec 09, 2016 01:54 PM

    The RFC I refer to specifically is entitled " RFC 7523 - JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants".  Therein it discusses the client auth part being optional.  In section 4 it discusses the authorization grant process.

     

    I think the bottom line is, the OTK does not support this standard.  Which is a perfectly valid answer on your part and I appreciate you taking the time to provide it.  Nothing is perfect, I feel the OTK should support this, but if it doesn't, then we'll probably have to modify it so it does.  I'm going to do a bit more reading of the standard and experimenting with other providers, then I'll look into the OTK assertions.



  • 15.  Re: Using JWT for OAuth

    Posted Dec 09, 2016 02:00 PM

    Please note that we are working on supporting JWT client credentials for future OTK versions. I would appreciate if you could share your plan on how to enable it in your environment. I could take that as input and also provide feedback on how we would suggest to do it.

     

    I am also asking because we are working on the "Easy-button" for upgrading  future versions of OTK. The more we know on how customers use OTK, especially what you need to modify for your environment, the more it helps us doing a better job.

     

    If you want share something please feel free to send me an email: sascha.preibisch@ca.com

     

    Thanks,

    Sascha



  • 16.  Re: Using JWT for OAuth

    Posted Aug 09, 2017 12:53 PM

    Hello Sasha,

     

    When OTK will support  private_key_jwt authentication as specified in the Open_ID Spec (http://openid.net/specs/openid-connect-core-1_0.html)?

     

    Thanks,

    Zoran



  • 17.  Re: Using JWT for OAuth

    Posted Aug 09, 2017 12:57 PM

    Hi Zoran!

    It will take 1 or 2 more releases of OTK. Currently you need to implement support for that type of token yourself.

    However, if you would provide me with some details (e.g.: what should be included, do you want to issue both types of token?) I may be able to write a blog post on how to do that. You can send me an email if you like: sascha.preibisch@ca.com

    I hope this helps,

    Sascha