Skip to content

Client Authentication#

Janssen Server supports authentication for confidential clients at the token endpoint. Confidential clients have to specify a preferred method of authentication during the client registration process. Client authentication is defined by OAuth and OpenID Connect Client Metadata in the section token_endpoint_auth_method and client authentication section

Supported Authentication Methods#

List of supported authentication methods for a Janssen Server host is listed in the response of Janssen Server's well-known configuration endpoint given below.

https://janssen.server.host/jans-auth/.well-known/openid-configuration

token_endpoint_auth_methods_supported claim in the response specifies the list of all the supported methods.

Authentication Methods#

Authentication methods can be broadly categorised in two categories:

  1. Shared key based
  2. Private key based

While shared key based authentication is simpler to implement, it is less secure than private key based authentication mechanisms. This is primarily because when using shared key based authentication methods, the client secret is transferred between client and authorization server at some point during the authentication process.

Characteristics table below shows side-by-side comparison of various supported authentication methods.

Method Secret Not Sent in Clear Signed Only client has secret Token Expiry
client_secret_basic
client_secret_post
client_secret_jwt
private_key_jwt
tls_client_auth
self_signed_tls_client_auth
none

client_secret_basic#

Default authentication method for Janssen Server. It authenticates clients using method described in client authentication section of OAuth framework.

client_secret_post#

client_secret_post method authenticates clients using method described in client authentication section of OAuth framework by adding client credentials in request body.

client_secret_jwt#

Like client_secret_basic and client_secret_post methods, this method is also based on a shared secret that client receives from Janssen Server. But instead of sending secret back to authorization server everytime, the client creates a JWT using an HMAC SHA algorithm where the shared secret is used as the key. This method is more secure than the client_secret_basic and client_secret_post due to following reasons:

  • Secret which is shared once will never be transmitted again
  • JWT can have expiration time, beyond which the same JWT can not be used. This reduces the time window for replay of the same token in case it is compromised.

This method is further described in OpenId Connect specification, section 9.

Client Configuration For Using client_secret_jwt#

Janssen Server clients should specify the preferred algorithm for use with this method during client configuration.

Algorithms supported by Janssen Server are listed in the response of Janssen Server's well-known configuration endpoint. From the response, the claim token_endpoint_auth_signing_alg_values_supported lists the supported algorithms.

To specify preferred algorithm for a client, using Janssen Text-based UI(TUI), navigate via Auth Server -> Get or add clients -> encryption/signing -> TODO: which exact properties.

private_key_jwt#

private_key_jwt is private key based method where secret is not shared between client and authorization server. This method is further described in OpenId Connect specification, section 9.

Janssen server implements signing and encryption mechanism following the guidelines in section 10 of OpenId Connect specification. Clients should sign and encrypt JWT as per their security requirements.

Client Configuration For Using private_key_jwt#

Janssen Server clients can specify signing and encryption keys using client configuration. Clients can either specify JWKS as value or as reference URI.

To specify JWKS values or reference URI, using Janssen Text-based UI(TUI), navigate via Auth Server -> Get or add clients -> encryption/signing -> set value for Client JWKS URI or Client JWKS.

tls_client_auth#

TODO: add more details

self_signed_tls_client_auth#

TODO: add more details

none#

TODO: add more details

Want to contribute?#

If you have content you'd like to contribute to this page in the meantime, you can get started with our Contribution guide.

Last update: 2023-01-27
Created: 2022-07-21