-
Notifications
You must be signed in to change notification settings - Fork 24
Creating authorization endpoint with signed request object
duttarnab edited this page Apr 28, 2021
·
2 revisions
To signed/encyrpted request object
on the client-side we need to generate client-jwks. In oxd we are using org.gluu.oxauth.model.crypto.OxAuthCryptoProvider
(from oxauth) to generate jwks.
- Create an instance of
OxAuthCryptoProvider
providing Keystore-Path, Keystore-password, and CryptProvider-dn-name (any appropriate dn) as parameters.
this.cryptoProvider = new OxAuthCryptoProvider(configuration.getCryptProviderKeyStorePath(), configuration.getCryptProviderKeyStorePassword(), configuration.getCryptProviderDnName());
- Later generating keys using
generateKey
method ofOxAuthCryptoProvider
JSONObject result = this.cryptoProvider.generateKey(algorithm, calendar.getTimeInMillis(), Use.SIGNATURE);
Please follow https://github.com/GluuFederation/oxd/blob/master/oxd-server/src/main/java/org/gluu/oxd/server/service/KeyGeneratorService.java for details
In registered OIDC client (on oxtrust) add the following fields in Encryption/signing settings
tab and save:
-
JWS alg Algorithm for signing Request Objects
- define the algorithm to sign the request object. -
JWKS
- Defineclient-jwks
in this field.
- Create Request Object JWT by adding signing Algo, and keyId to its header and setting the other parameters to its claims.
- Sign Request Object jwt using
sign
method oforg.gluu.oxauth.model.crypto.OxAuthCryptoProvider
(pass the required params).
- The authorization URL with the signed request object can be created by adding the request-object to the request param.
ex: https://openid.net/specs/openid-connect-core-1_0.html#RequestParameter
Reference: https://openid.net/specs/openid-connect-core-1_0.html#RequestObject