To authorize a client application using the secret post type, you need to add parameters to the existing request:
client_assertion_type = urn:ietf:params:oauth:client-assertion-type:jwt-bearer
client_assertion — one-time jwt token
Example:
client_id = id-wEkziJ6jW6dJg36GT2a1ww7C4BpLeXCrMRLAVgOyQNgSKZV
client_secret = N2f9TvacRuBsRLQ2mSw9HOQ2GoLCDIaDPsoXfT0xNu8kcuAZSO
Friendly OAuth2 Server
Friendly oAuth2 server documentation
Authorization secret jwt
General information about client authorization using the secret jwt method
1) A jwt token with parameters is created:
jti — token identifier in the OAuth2 server database
iss — client identifier
sub — client identifier
aud — OAuth2 server address
iat — token expiration time
2) The client_secret value is hashed in SHA256.
Next, an HMAC key for AES256 encryption is created from the hash.
3) The token is signed with this key.
Example request in cURL:
curl --request POST \
--url http://localhost:9000/oauth2/token \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data grant_type=client_credentials \
--data client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer \
--data client_assertion=eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiJ0ZXN0LTE3MTgxODk3NjMxOTciLCJpc3MiOiJpZC13RWt6aUo2alc2ZEpnMzZHVDJhMXd3N0M0QnBMZVhDck1STEFWZ095UU5nU0taViIsInN1YiI6ImlkLXdFa3ppSjZqVzZkSmczNkdUMmExd3c3QzRCcExlWENyTVJMQVZnT3lRTmdTS1pWIiwiYXVkIjoiaHR0cDovL2xvY2FsaG9zdDo5MDAwL29hdXRoMi90b2tlbiIsImlhdCI6MTcxODE4OTc2M30.0sYg1ozuqOtPsDja5D_tjVTCQMdnLge8gDuMRv4ZbRQ
A practical example of client authorization using the secret jwt method
0) Since in this section we will only test client authorization, in the admin panel we will set the OAuth2 mode - OAuth2 client credential flow, and the client authorization value Client secret jwt
1) For training, we will create a test client
2) Open the modal form for the key area and generate client secret jwt
3) Let's create a POST request to address http://localhost:9000/oauth2/token
And we will receive an access token.