Client Authentication#
Janssen Server supports authentication for confidential clients at the token endpoint. Confidential clients
have to specify a preferred method of authentication during the client registration process. Client authentication
is defined by OAuth and OpenID Connect
Client Metadata in the section
token_endpoint_auth_method
and client authentication section
Supported Authentication Methods#
List of supported authentication methods for a Janssen Server host is listed in the response of Janssen Server's well-known configuration endpoint given below.
https://janssen.server.host/jans-auth/.well-known/openid-configuration
token_endpoint_auth_methods_supported
claim in the response specifies the list of all the supported methods.
Authentication Methods#
Authentication methods can be broadly categorised in two categories:
- Shared key based
- Private key based
While shared key based authentication is simpler to implement, it is less secure than private key based authentication mechanisms. This is primarily because when using shared key based authentication methods, the client secret is transferred between client and authorization server at some point during the authentication process.
Characteristics table below shows side-by-side comparison of various supported authentication methods.
Method | Secret Not Sent in Clear | Signed | Only client has secret | Token Expiry |
---|---|---|---|---|
client_secret_basic |
||||
client_secret_post |
||||
client_secret_jwt |
||||
private_key_jwt |
||||
tls_client_auth |
||||
self_signed_tls_client_auth |
||||
none |
client_secret_basic#
Default authentication method for Janssen Server. It authenticates clients using method described in client authentication section of OAuth framework.
client_secret_post#
client_secret_post
method authenticates clients using method described in
client authentication section of OAuth framework by
adding client credentials in request body.
client_secret_jwt#
Like client_secret_basic
and client_secret_post
methods, this method is also
based on a shared secret that client receives from Janssen Server. But instead of sending
secret back to authorization server everytime, the client creates a JWT using an HMAC SHA algorithm where the shared
secret is used as the key. This method is more secure than the client_secret_basic
and client_secret_post
due to following reasons:
- Secret which is shared once will never be transmitted again
- JWT can have expiration time, beyond which the same JWT can not be used. This reduces the time window for replay of the same token in case it is compromised.
This method is further described in OpenId Connect specification, section 9.
Client Configuration For Using client_secret_jwt#
Janssen Server clients should specify the preferred algorithm for use with this method during client configuration.
Algorithms supported by Janssen Server are listed in the response of Janssen Server's well-known
configuration endpoint. From the response, the claim
token_endpoint_auth_signing_alg_values_supported
lists the supported algorithms.
To specify preferred algorithm for a client, using Janssen Text-based UI(TUI),
navigate via Auth Server
-> Get or add clients -> encryption/signing
-> TODO: which exact properties.
private_key_jwt#
private_key_jwt
is private key based method where secret is not shared between client and authorization server. This method is
further described in OpenId Connect specification, section 9.
Janssen server implements signing and encryption mechanism following the guidelines in section 10 of OpenId Connect specification. Clients should sign and encrypt JWT as per their security requirements.
Client Configuration For Using private_key_jwt#
Janssen Server clients can specify signing and encryption keys using client configuration. Clients can either specify JWKS as value or as reference URI.
To specify JWKS values or reference URI, using Janssen Text-based UI(TUI),
navigate via Auth Server
-> Get or add clients -> encryption/signing
-> set value for Client JWKS URI
or
Client JWKS
.
tls_client_auth#
TODO: add more details
self_signed_tls_client_auth#
TODO: add more details
none#
TODO: add more details
Want to contribute?#
If you have content you'd like to contribute to this page in the meantime, you can get started with our Contribution guide.
Created: 2022-07-21